Vulnerability in Windows JScript component allows remote code execution

Trend Micro’s Zero-Day Initiative yesterday released a summary of light technical details regarding a vulnerability in Windows operating system’s JScript component that allows remote hackers to execute malicious code on the victim’s computer.

According to ZDI, the vulnerability can be exploited by targeting installations on Microsoft Windows and requires user interaction by visiting a malicious page or downloading and opening a malicious file on the system.

“The specific flaw exists within the handling of Error objects in JScript,” ZDI said in the advisory. “By performing actions in script, an attacker can cause a pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process.”

ZDI had first reported this vulnerability to Microsoft in January after Dmitri Kaslov of Telspace Systems had discovered the bug and has disclosed the vulnerability to the public according to its 120 day deadline.

Microsoft is reportedly working on a patch but since it was unable to meet ZDI’s deadline, ZDI has disclosed light details of the vulnerability.

Brian Gorenc, director of Trend Micro's Zero Day Initiative, told Bleeping Computer, “Due to the sensitivity of the bug, we don’t want to provide too many technical details until a full fix from Microsoft is available.”

He also said that the flaw does not lead to a full system compromise as it only allows code execution “within a sandbox environment”. "An attacker would need additional exploits to escape the sandbox and execute their code on the target system," he said.

The vulnerability has received a 6.8 CVSS score out of 10.

Microsoft patches a zero-day exploit vulnerability in Internet Explorer

Although, Microsoft patched a zero-day vulnerability in Internet Explorer, it had already exploited in attacks involving a compromised website belonging to an evangelical church in Hong Kong.

Users are requested to update their computers as soon as possible.

It permits remote code execution which allows a user views a specially crafted web page using Internet Explorer. After that it allows the attacker the same user rights as the current user. Microsoft’s security update resolves this issue by modifying how Internet Explorer handles objects in memory.

First, the attackers compromised the website of the Evangelical Lutheran Church of Hong Kong and modified it to host a malicious iFrame which redirected visitors to another website hosting an exploit of the Internet Explorer Microsoft Internet Explorer Remote Memory Corruption Vulnerability (CVE-2015-2502).

According to Symantec, the IP address of this website is
This website hosts a file called vvv.html , which redirects to one of two other files called a.js and b.js, which lead to the download of a file called java.html to the victim’s computer. Java.html installs Korplug on the computer, in the form of an executable called c.exe.

Russian Hackers use Windows 0-Day exploit to hack NATO, Ukraine

Russian Hackers, dubbed the "sandworm team", have been found exploiting a previously unknown vulnerability in Microsoft's Windows Operating systems, reports iSight.

The group has used this zero-day exploit to hack computers used by NATO, Ukraine Government, European Telecommunications firms, Energy sectors and US academic organization.

The attack starts with a spear-phishing email containing a malicious power point document that exploits the vulnerability and infects victims machine with a malware.

"The vulnerability exists because Windows allows the OLE packager (packager .dll) to download and execute INF files."the report reads.

".. When handling Microsoft PowerPoint files, the packagers allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources... This will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands"

The vulnerability is reportedly affecting all versions of the windows operating systems from Vista SP1 to Windows 8.1.  It also affects Windows servers 2008 and 2012.

Opening an email containing RTF in Outlook hands your computer to hackers

How many of you are using Microsoft Outlook in your office? Previewing or opening an email containing .RTF file in Microsoft Outlook will open a backdoor for remote hackers to access your machine.

Microsoft warned today that attackers are exploiting a new zero-day vulnerability in Microsoft Word that allows them to run arbitrary code in the vulnerable system.

"The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word" Security advisory reads. "or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer."

The vulnerability affects Microsoft word 2003, 2007,2010,2013, word viewer and Microsoft Office for Mac 2011.  Advisory states that the exploits it has seen so far have targeted Microsoft word 2010 users.

Microsoft is in the process of creating patch for this security flaw.  In the meantime, they have released a temporary Fix it solution which prevents opening of RTF files in Microsoft word.

Other suggestion to prevent yourself from being victim are 'configuring the outlook to read email messages in plain text format', 'using Enhanced Mitigation Experience Toolkit(EMET)'.

CVE-2013-5065: Windows XP Kernel Privilege escalation vulnerability exploited in the wild

Microsoft has issued a warning about new zero-day vulnerability affecting the Windows XP and 2003 Server operating systems.

The bug referred with CVE id "CVE-2013-5065" is a local privilege escalation vulnerability, is reportedly being exploited in the wild.

A successful exploitation allows attackers to run the arbitrary code in Kernel mode(User mode --> kernel mode).  It will get access to install software, modify data or creating accounts with admin privilege.

However, the vulnerability is not exploitable by a remote attacker.

"It does not affect customers who are using operating systems newer than Windows XP and Windows Server 2003." Microsoft security advisory reads.

Though the Microsoft is issued a workarounds for this vulnerability, it is better to switch to the latest version of Windows (7 or 8), as we aware that Microsoft is going to stop supporting Windows xp by April 2014. 

Temporary fix for new zero-day IE vulnerability (CVE-2013-1347)

Microsoft has issued a temporary fix the recently uncovered Internet Explorer 8 vulnerability that was exploited in the US Department of Labor hack for serving malware.

The vulnerability affects only IE8 so users running Internet explorer versions 6, 7, 9 and 10 do not need to take any action.

Microsoft is working on fixing the issue.  In the meantime, users are urged to apply the temporary fix to prevent from the attack.

To do this, visit this page "" and click the Fix it button or link under the Enable heading.

If you are a pentester, the technical analysis and metasploit module can be found here:

New IE8 Zero-day was used in the DOL Watering Hole attack

A Few days ago Alienvault Labs reported U.S Department of Labor website was hacked and redirects to malware page.  In their report, they mentioned the exploit used in the attack was CVE-2012-4792.

After further analysis security researchers have discovered the vulnerability exploited in the cyber attack wasn't CVE-2012-4792 but a new zero-day affecting the Internet Explorer 8.

CVE identifier CVE-2013-1347 has been assigned for this new IE vulnerability. Microsoft noted that Internet Explorer 6, IE7, IE9, and IE10 are not affected by the vulnerability.

"U.S Department of Labor website wasn’t the only entity affected and we can confirm that at least 9 other websites were redirecting to the malicious server at the same time" AlienVault reports.

According to their report, the cyber attack targets the websites belong to several non-profit groups and institutes as well as a big european company that plays on the aerospace, defence and security markets.

Invincea's founder Anup Ghosh told NextGov that the "target of the attack are [Energy Department] folks in a watering hole style attack compromising one federal department to attack another".

Quick fix for IE zero-day Vulnerability (CVE-2012-4792) is available

Microsoft has released quick fix for a zero-day vulnerability in older versions of its Internet Explorer web browser that is actively being exploited by hackers.

The security flaw affects the IE 6, Internet Explorer 7 and Internet Explorer 8. Versions 9 and 10 are not affected by this vulnerability.

About CVE-2012-4792:

Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo object, and exploited in the wild in December 2012.

The company said that the "Fix it solution" is not intended to be a replacement for any security update.

"We recommend that you always install the latest security updates. However, we offer this Fix it solution as a workaround option for some scenarios."

Quick fix the vulnerability is available here:

Samsung smart Tv 0-day Vulnerability allows hackers to read attached storage devices

ReVuln Ltd has discovered a zero-day vulnerability in the Samsung Smart Tv that allows attackers to retrieve sensitive information, monitor and root the device itself remotely.

The vulnerability has been tested in Samsung TV LED 3D. But the team still not able to confirm which model TVs were affected by this zero-day.

“We have tested different Samsung televisions of the latest generations running the latest version of their firmware,” Luigi Auriemma , Security Researcher at ReVuln Ltd said.

“Unfortunately we can't disclose additional information but we can only say that almost all the people having a Samsung TV at home or in their offices are affected by this vulnerability.”

They've demonstrated the attack in a proof of concept video:

Zero-day vulnerabilities in MySQL database allows hackers to crash the service

Multiple zero-day vulnerabilities have been discovered in the popular database software MySQL that could allow hackers to crash the service,  deny access to users, privilege escalation and authentication bypass.

There are five zero-day vulnerabilities. According to report, one was recognised as a duplicate of an existing flaw and another a misconfiguration.

Common Vulnerabilities and Exposures (CVE) identifiers assigned to the issues to track them:

  • CVE-2012-5611 — MySQL (Linux) Stack based buffer overrun PoC Zeroday
  • CVE-2012-5612 — MySQL (Linux) Heap Based Overrun PoC Zeroday
  • CVE-2012-5613 — MySQL (Linux) Database Privilege Elevation Zeroday Exploit
  • CVE-2012-5614 — MySQL Denial of Service Zeroday PoC
  • CVE-2012-5615 — MySQL Remote Preauth User Enumeration Zeroday

Security researcher Eric Romang has posted a video demonstrating how misconfigured servers are vulnerable in his blog.

Similar issues were also disclosed involving Communications' Tectia SSH Server, which was also determined to be vulnerable to authentication bypass.