Elisa Lippincott (TippingPoint Global Product Marketing)TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6TippingPoint Threat Intelligence and Zero-Day Coverage – Week of April 17, 2017
0.974 High
EPSS
Percentile
99.9%
I’ve never been one to adopt the latest fashion trends, aside from what I wore growing up in the 1980s. I wore shoulder pads, blue eyeliner, designer jeans, and even parachute pants. While I continue to rock my 80s hair to this day, other trends I thought were long gone are making a comeback. (Shoulder pads – seriously?) History tends to repeat itself – what’s old is new again – and it’s no different in the security world.
Last weekend, a group known as “Shadow Brokers” released a large set of tools that can exploit flaws in several versions of Microsoft products and other platforms. A number of the exploits have CVEs that date as far back as 2001. In fact, one of the exploits named “EwokFrenzy” was discovered through our Zero Day Initiative over 10 years ago. Customers with TippingPoint solutions have had coverage for EwokFrenzy through Digital Vaccine® (DV) filter 4033 since January 2006!
Our TippingPoint DVLabs team continues to review the contents associated with the Shadow Brokers disclosure to recommend coverage for TippingPoint solutions. The following table includes the DV filters that provide protection, including new filters released in an out-of-band release this week:
| Exploit Name | ** MS Bulletin** | ** CVE/ZDI** | ** Filters** | ** 0day?** | ** Status** |
|---|---|---|---|---|---|
| DoublePulsar | |||||
| (Payload) | *27935 | N/A | Policy Filter | ||
| EarlyShovel | *27938 | Unknown | Detects Exploit | ||
| EasyBee** | CVE-2007-1675 | ||||
| ZDI-07-011 | No | Investigating | |||
| EasyPi | Unknown | Investigating | |||
| EbbisLand | CVE-2001-0236 | 621, 622, 3512, 3791 | No | Investigating | |
| EchoWrecker | CVE-2003-0201 | 1676 | No | Investigating | |
| EclipsedWing | MS08-067 | CVE-2008-4250 | 6515 | No | Detects Exploit |
| EducatedScholar | MS09-050 | 8465 | No | Detects Exploit | |
| ELV | MS06-040 | CVE-2006-3439 | 9317 | No | Detects Exploit |
| EmeraldThread | MS10-061 | 10458, *27939 | No | Detects Exploit | |
| EmphasisMine | Unknown | Investigating | |||
| EnglishManDentist | Unknown | Investigating | |||
| ErraticGopher | *27932 | Yes | Detects Exploit | ||
| ESKE | CVE-2003-0352 | No | Investigating | ||
| EskimoRoll | MS14-068 | CVE-2014-6324 | *27940 | No | Exploit Unfilterable |
| Policy Filter | |||||
| EsteemAudit | *27933 | Yes | Detects Exploit | ||
| EternalBlue | MS17-010 | 27433, 27711, *27928 | No | Detects Exploit | |
| EternalChampion | MS17-010 | CVE-2017-0146 | 27433, 27711, *27929 | No | Detects Exploit |
| EternalRomance | MS17-010 | No | Investigating | ||
| EternalSynergy | MS17-010 | CVE-2017-0714 | *27937 | No | Detects Exploit |
| Etre | No | Investigating | |||
| EVFR | CVE-2003-0109 | 1612 | No | Detects Exploit | |
| EwokFrenzy | CVE-2007-1675 | ||||
| ZDI-07-011 | 4033 | No | Detects Exploit | ||
| ExplodingCan | CVE-2017-7269 | 27643 | No | Detects Exploit |
- New DV filter
**Identical to EwokFrenzy, but exploit untested against filter
Click here for more information on Trend Micro’s response and recommendations for coverage across all Trend Micro products.
Adobe Update
This week’s Digital Vaccine (DV) package includes coverage for Adobe Security Bulletins released on or before April 6, 2017.The following table maps Digital Vaccine filters to the Adobe updates. Filters marked with an asterisk (*) shipped prior to this DV package, providing preemptive zero-day protection for customers. You can get more detailed information on this month’s Adobe security updates from Dustin Childs’ April 2017 Security Update Review:
| Bulletin # | CVE # | Digital Vaccine Filter # | Status |
|---|---|---|---|
| APSB17-10 | CVE-2017-3058 | 27698 | |
| APSB17-10 | CVE-2017-3059 | *27697 | |
| APSB17-10 | CVE-2017-3060 | 27832 | |
| APSB17-10 | CVE-2017-3061 | 27833 | |
| APSB17-10 | CVE-2017-3062 | *27533 | |
| APSB17-10 | CVE-2017-3063 | *27534 | |
| APSB17-10 | CVE-2017-3064 | 27836 | |
| APSB17-11 | CVE-2017-3013 | 27923, 27925 | |
| APSB17-11 | CVE-2017-3014 | 27824 | |
| APSB17-11 | CVE-2017-3017 | 27827 | |
| APSB17-11 | CVE-2017-3019 | *26521 | |
| APSB17-11 | CVE-2017-3020 | *26491 | |
| APSB17-11 | CVE-2017-3021 | *26510 | |
| APSB17-11 | CVE-2017-3022 | *26631 | |
| APSB17-11 | CVE-2017-3023 | *26535 | |
| APSB17-11 | CVE-2017-3024 | 27829 | |
| APSB17-11 | CVE-2017-3025 | 27851 | |
| APSB17-11 | CVE-2017-3026 | 27852 | |
| APSB17-11 | CVE-2017-3027 | 27909 | |
| APSB17-11 | CVE-2017-3028 | *27160 | |
| APSB17-11 | CVE-2017-3029 | *27159 | |
| APSB17-11 | CVE-2017-3030 | 27823 | |
| APSB17-11 | CVE-2017-3031 | *27241, *27260 | |
| APSB17-11 | CVE-2017-3032 | *27158 | |
| APSB17-11 | CVE-2017-3033 | *27261 | |
| APSB17-11 | CVE-2017-3034 | *27225 | |
| APSB17-11 | CVE-2017-3035 | *27236 | |
| APSB17-11 | CVE-2017-3036 | *27304 | |
| APSB17-11 | CVE-2017-3037 | 27849 | |
| APSB17-11 | CVE-2017-3038 | 27908 | |
| APSB17-11 | CVE-2017-3039 | 27905 | |
| APSB17-11 | CVE-2017-3041 | 27903 | |
| APSB17-11 | CVE-2017-3043 | N/A | Local Vulnerability |
| APSB17-11 | CVE-2017-3042 | *27554, *27556, *27557, *27811 | |
| APSB17-11 | CVE-2017-3044 | 27914 | |
| APSB17-11 | CVE-2017-3045 | 27915 | |
| APSB17-11 | CVE-2017-3046 | 27916 | |
| APSB17-11 | CVE-2017-3047 | 27919 | |
| APSB17-11 | CVE-2017-3048 | *27750 | |
| APSB17-11 | CVE-2017-3049 | 27922 | |
| APSB17-11 | CVE-2017-3050 | *27808 | |
| APSB17-11 | CVE-2017-3051 | *27749 | |
| APSB17-11 | CVE-2017-3052 | *27748 | |
| APSB17-11 | CVE-2017-3053 | *27704 | |
| APSB17-11 | CVE-2017-3054 | N/A | Insufficient Information |
| APSB17-11 | CVE-2017-3055 | *27522 | |
| APSB17-11 | CVE-2017-3056 | *27520 | |
| APSB17-11 | CVE-2017-3057 | *27521 | |
| APSB17-11 | CVE-2017-3011 | N/A | Insufficient Information |
| APSB17-11 | CVE-2017-3012 | N/A | Insufficient Information |
| APSB17-11 | CVE-2017-3015 | N/A | Insufficient Information |
| APSB17-11 | CVE-2017-3018 | N/A | Insufficient Information |
| APSB17-11 | CVE-2017-3039 | N/A | Insufficient Information |
| APSB17-11 | CVE-2017-3040 | N/A | Insufficient Information |
| APSB17-11 | CVE-2017-3065 | N/A | Insufficient Information |
Zero-Day Filters
There are 13 new zero-day filters covering four vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website.
Adobe (10)
|
- 27812: ZDI-CAN-4572: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
- 27820: ZDI-CAN-4571: Zero Day Initiative Vulnerability (Adobe Acrobat Reader DC)
- 27821: ZDI-CAN-4570: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
- 27822: ZDI-CAN-4569: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
- 27832: HTTP: Adobe Flash length Memory Corruption Vulnerability (ZDI-17-247, ZDI-17-248)
- 27914: HTTP: Adobe Acrobat Pro DC JPEG2000 Buffer Overflow Vulnerability (ZDI-17-267)
- 27915: HTTP: Adobe Acrobat Pro DC JPEG2000 Memory Corruption Vulnerability (ZDI-17-268)
- 27916: HTTP: Adobe Acrobat Pro DC JPEG2000 Memory Corruption Vulnerability (ZDI-17-270)
- 27919: HTTP: Adobe Acrobat Pro DC Annotations Use-After-Free Vulnerability (ZDI-17-271)
- 27922: HTTP: Adobe Acrobat Pro DC ImageConversion Buffer Overflow Vulnerability (ZDI-17-273)_ _
—|—
|
Cisco (1)
|
- 27807: ZDI-CAN-4635: Zero Day Initiative Vulnerability (Cisco License Manager Server)
—|—
|
MIcrosoft (1)
|
- 27810: ZDI-CAN-4573: Zero Day Initiative Vulnerability (Microsoft Internet Explorer)_ _
—|—
|
Trend Micro (1)
|
- 27804: ZDI-CAN-4638-4639: Zero Day Initiative Vulnerability (Trend Micro Control Manager)_ _
—|—
|
Missed Last Week’s News?
Catch up on last week’s news in my weekly recap.
Related
