Exploit Kits - v1.0

Transcription

Exploit Kits - v1.0

SERT Report
Exploit Kits - v1.0
A current inventory of the most popular exploit kits,
the common payloads deployed and the targeted vulnerabilities.
www.solutionary.com
(866) 333-2133
Solutionary: SERT Exploit Kit Report - v1.0
Solutionary Exploit Kits Overview
Contents
Introduction...................................................................................................................3
Overview........................................................................................................................3
Exploit Kit Implementation Example .......................................................................5
Popular Exploit Kits.......................................................................................................6
Blackhole Exploit Kit (2.0)........................................................................................6
Eleonore (1.8.91)......................................................................................................8
Phoenix Exploit Kit (3.1.15)......................................................................................9
Sakura (1.1)............................................................................................................11
Newcomers.................................................................................................................11
RedKit....................................................................................................................11
Sweet Orange (1.1) ...............................................................................................12
The Payload.................................................................................................................13
ZeuS/Zbot..............................................................................................................14
Gameover ZeuS.....................................................................................................14
SpyEye...................................................................................................................14
Cridex.....................................................................................................................14
ZeroAccess............................................................................................................15
Common Vulnerabilities and Exposures (CVE) List.....................................................15
About Solutionary........................................................................................................21
2
Introduction
The Solutionary Security Engineering Research Team (SERT) maintains a current
inventory of the most popular exploit kits used by attackers, the common payloads
deployed and the actual vulnerabilities that are targeted by the various exploit kits.
SERT will update this report on a periodic basis to reflect the latest intelligence
Exploit kits make it relatively easy
for an attacker to take advantage
gained from the patented, cloud-based Solutionary ActiveGuard® service platform in
of the most known and reliable
addition to incident response engagements and security consulting engagements with
vulnerabilities in popular applications,
Solutionary clients.
such as Microsoft® Internet
This report was last updated on: 1/15/2013
Explorer®, Adobe® Acrobat
Reader® and Adobe Flash® Player.
Overview
Exploit kits make it relatively easy for attacks to take advantage of the most known and
easily exploitable vulnerabilities in popular applications, such as Microsoft® Internet
Explorer®, Adobe® Acrobat Reader® and Adobe Flash® Player.
Exploit kits began appearing in early 2006 with the first known - and widely popular - Web
Attacker exploit kit. This was followed by kits such as MPack and GPack, which received
significant notoriety before the Phoenix Exploit Kit (2007) and the Blackhole (2010) Exploit
Kit appeared on the scene.
Attackers install and deploy exploit kits on attacker-controlled Web servers, typically
using anonymous Web hosting services, which are widely available today. The attacker
only needs to have a basic understanding of UNIX commands to successfully install an
exploit kit. In some cases, even this knowledge is not necessary, as some toolkits can
be fully installed through a Web-based interface. Some of the malicious actors who rent
exploit kits to other attackers also offer a setup service for a small fee.
3
After the exploit kit has been deployed, the attacker’s only remaining task is to identify a
large number of victims and entice them to visit the kit’s exploit page, commonly known
as the landing page. The attacker will typically achieve this by sending phishing emails
The user is not aware that this page
containing a malicious hyperlink or a malicious HTML document as an attachment. The
hyperlink directs the victim to an attacker-controlled website that will, in turn, redirect the
victim to a maliciously crafted landing page.
will never load and that the browser
will most likely become unresponsive
and crash due to an exploit performed
The following example depicts what a typical malicious page may look like from the
perspective of the underlying HTML code. A message is displayed that tells the victim to
by content from the destination site.
Victims may not be concerned about
wait to be forwarded to another page. The user is not aware that this page will never load
and that the browser will most likely become unresponsive and crash due to an exploit
performed by content from the destination site. Victims may not be concerned about the
browser crashing because they often encounter such an occurrence. The de-obfuscated,
or rendered, content is a redirect to another site, which contains the malicious payload.
4
the browser crashing because they
often encounter such an occurrence.
No matter if the tactic used is a phishing email attack or a drive-by download, the
end result is that victims may see a message similar to “Please wait…You will be
forwarded...” in their browsers when they have, in fact, been redirected unknowingly to
the landing page of the exploit kit.
The most important criteria for
exploitation is the selection of an
appropriate exploit. Most exploit kits
Exploit Kit Implementation Example
provide different sets of exploits for
different browsers and Web browser
plug-ins.
• Identifies / creates target website to host exploit
• Configures exploit kit and chooses payload
• Hosts exploit kit on target website
• Receives phishing email
• Clicks the link in the phishing email
• Accesses target website
• Probed by target website to identify exploit to attempt
• Compromised by exploit
• Receives payload of the exploit
• Is installed on end user system
• Sets up communication chanel with attacker
• Transmits sensitive information to attacker
The most important criteria for exploitation is the selection of an appropriate exploit.
Most exploit kits provide different sets of exploits for different browsers and Web
browser plug-ins. Discovering the browser plug-ins through scripts on the landing page
often determines which exploit will be used on the victims’ browser. Exploit kit authors
continually update the available exploits in their products to maintain a high success
rate.
5
Popular Exploit Kits
In 2012, 21 different exploit kits of significant importance were either released or
updated. Some of the more popular exploit kits available are shown below.
Blackhole Exploit Kit (2.0)
The Blackhole Exploit Kit was first introduced in late 2010 and gained popularity
during 2011. Cyber criminals used the kit to spread malware during many high-profile
campaigns in 2011. It’s ease-of-use, continuous updates and ongoing support combine
to make Blackhole a popular choice for attackers. Despite the fact that many other new
kits have been released with a larger number of exploits, Blackhole continued to gain
popularity over all other exploit kits in 2012. Blackhole has been used to spread many
different pieces of malware, including Zeus, SpyEye, Cridex and various fake anti-virus
products.
Blackhole Exploit Kit 2.0 made headlines with its release in 2012. The number of
exploits in the kit was significantly reduced by removing many of the under utilized and
ineffective exploits included in the previous version (1.2.5).
Some of the exploits included in Blackhole Exploit Kit 2.0 leverage the following
vulnerabilities:
CVE
CVE-2006-0003
CVE-2010-0188
CVE-2012-0507
CVE-2012-1723
6
TITLE
Vulnerability in the Microsoft Data Access Components
(MDAC) Function could allow code execution
Adobe Acrobat and Reader Remote Code Execution
Vulnerability
Oracle Java SE / JRE AtomicReferenceArray Sandbox
Escape Code Execution
Oracle Java SE / JRE Hotspot Bytecode Verifier Type
Confusion Remote Code Execution
In 2012, 21 different exploit kits of
significant importance were either
released or updated. Some of the
more popular exploit kits available
are shown below.
CVE
CVE-2012-4681
CVE-2012-4969
TITLE
Oracle Java SE / JRE Beans Subcomponent Unspecified
Remote Code Execution
Microsoft IE CMshtmlEd::Exec() Function Use-after-free
The following list shows vulnerabilities leveraged by exploits included in version
1.2.5:
CVE
TITLE
CVE-2006-0003
(MDAC) Function could allow code execution
CVE-2010-0188
CVE-2012-1723
CVE-2012-4681
CVE-2012-4969
CVE-2007-5659
CVE-2008-2992
CVE-2009-0927
CVE-2010-1885
CVE-2011-0559
7
Vulnerability
Oracle Java SE / JRE Hotspot Bytecode Verifier Type
Confusion Remote Code Execution
Microsoft IE CMshtmlEd::Exec() Function Use-after-free
Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1
Stack-based buffer overflow in Adobe Acrobat and Reader
8.1.2
Adobe Acrobat getIcon() Function PDF Handling Overflow
MS10-042: Vulnerability in Help and Support Center could
allow remote code execution
Adobe Flash Player before 10.2.152.26 allows attackers to
execute arbitrary code or cause a denial of service
CVE
TITLE
CVE-2011-2110
Adobe Flash Player Unspecified Memory Corruption
CVE-2012-1889
Microsoft XML Core Services Uninitalized Memory Object
Handling Remote Code Execution
Eleonore (1.8.91)
Since the launch of its first version in June 2009,
the Eleonore Exploit Pack has gained popularity
because of its competitive cost compared to
other exploit kits and the kit author’s monthly updates. However, exploits for more
recent vulnerabilities have failed to appear in the newer versions of the exploit kit.
Exploits included in Eleonore 1.8.91 leverage the following vulnerabilities:
CVE
TITLE
CVE-2006-0003
(MDAC) Function Could Allow Code Execution
CVE-2010-1885
CVE-2011-0559
CVE-2011-2110
CVE-2010-0806
CVE-2008-2463
8
MS10-042: Vulnerability in Help and Support Center Could
Allow Remote Code Execution
Adobe Flash Player before 10.2.152.26 allows attackers to
execute arbitrary code or cause a denial of service
Microsoft IE iepeers.dll Use-After-Free Arbitrary Code
Execution
Microsoft Access Snapshot Viewer ActiveX (snapview.ocx)
PrintSnapshot Method Arbitrary Code Execution
CVE
CVE-2010-0840
CVE-2010-4452
CVE-2011-0558
CVE-2011-0611
CVE-2011-2462
CVE-2011-3521
CVE-2011-3544
TITLE
Oracle Java SE / Java for Business JRE Trusted Methods
Chaining Remote Code Execution
Oracle Java SE / Java for Business sun.plug-in2.applet.
Applet2ClassLoader findClass Method Code Execution
Adobe Flash Player Function Class ActionScript Method
Handling Overflow
Adobe Flash ActionScript Predefined Class Prototype
Addition Remote Code Execution
Adobe Reader / Acrobat U3D Data Handling Remote
Memory Corruption
Oracle Java SE / JRE IIOP Deserialization Applet Handling
Oracle Java SE / JRE Rhino Javascript Error Parsing Input
Sanitation Weakness Remote Code Execution
Phoenix Exploit Kit (3.1.15)
Phoenix Exploit Kit was originally released in 2007 and is still
positioned as a significant player in 2012. This kit currently
contains exploits for 11 vulnerabilities.
Phoenix Exploit Kit, similar to Blackhole Exploit
Kit 2.0, reduced the number of exploits included
in version 3.1.15 by eliminating some of the less
effective exploits in version 3.1.
9
Exploits included in Phoenix Exploit Kit 3.1.15 leverage the following vulnerabilities:
CVE
TITLE
CVE-2011-2110
CVE-2012-0507
CVE-2011-3544
Mozilla Multiple Products AttributeChildRemoved() Method
CVE-2011-3659
nsDOMAttribute Child Node Use-after-free Remote Code
Execution
CVE-2012-0500
CVE-2012-0779
CVE-2011-2371
CVE-2011-2140
CVE-2010-0248
CVE-2010-0842
Oracle Java SE Deployment Component java-vm-args
Command Argument Injection Remote Code Execution
Adobe Flash Player Object Confusion Unspecified Remote
Code Execution
Mozilla Multiple Products Array.reduceRight() Method
Overflow
Adobe Flash Player MP4 File Handling Memory Corruption
Microsoft IE Javascript Cloned DOM Object Handling
Memory Corruption
Unspecified vulnerability in the Sound component in Oracle
Java SE and Java for Business
Phoenix Exploit Kit also includes the Firefox Bootstrapped Add-on Social Engineering
Code Execution exploit from the Metasploit Framework. This exploit dynamically
creates an .xpi add-on file that is presented to the victim via a Web page. Once the
user clicks “install,” the add-on is installed and executes the payload with full user
permissions. As of Firefox 4, this will work without requiring a restart of the browser.
10
Sakura (1.1)
Sakura is a lower-end solution that costs less than the more
popular exploit kits, but has proven to be a viable option for
cyber criminals.
Exploits included in Sakura 1.1 leverage the following
vulnerabilities:
CVE
CVE-2006-0003
CVE-2010-0806
CVE-2010-0842
CVE-2012-4681
TITLE
Microsoft IE iepeers.dll Use-After-Free Arbitrary Code
Execution
Unspecified vulnerability in the Sound component in Oracle
Java SE and Java for Business
Newcomers
RedKit
RedKit first appeared in 2012. The author did
not provide an “official” name for the kit, so the
researchers who discovered it named it for its
red color scheme.
11
Exploits included in RedKit leverage the following vulnerabilities:
CVE
CVE-2010-0188
CVE-2012-0507
CVE-2012-4681
TITLE
Vulnerability
Sweet Orange (1.1)
The Sweet Orange exploit kit is another that first
appeared in 2012. The authors are attempting to
make sure it is difficult for non-cyber criminals to
obtain the kit.
Exploits included in Sweet Orange 1.1 leverage the following vulnerabilities:
CVE
CVE-2010-0188*
CVE-2011-3544
CVE-2006-0003
12
TITLE
Vulnerability
CVE
CVE-2012-4681
TITLE
* This claim is made by the exploit kit author, but whether the exploit exists or not has
not been validated.
Through analysis and presentation of some of the capabilities
of the exploit kits discussed, SERT is able to identify a few
interesting statistics about their capabilities and attributes.
The graph to the right illustrates the relative number of unique
CVEs across all exploit kits and the year the CVEs were issued.
The graph shows that exploit kits rely heavily on vulnerabilities
identified in 2010 and 2011.
This information may be a strong indicator that the 2010-2011
vulnerabilities still exist in many environments today and are still
useful to the attackers.
SERT has also determined what types of software are targeted
across all exploit kits reviewed for this report. As depicted in this
graph, approximately 80 percent of exploits included in the kits
targeted Java, Adobe® PDF and Internet Explorer vulnerabilities.
3%
4%
The Payload
Once the victim’s browser and operating system have been successfully compromised,
exploit kits attempt to download and install a malicious payload, which most often
results in a banking Trojan being installed. This Trojan is the remaining and most
important component of the crimeware package.
13
12%
16%
25%
40%
Some of the more popular and most common banking Trojans to-date are ZeuS or
Zbot, Gameover ZeuS, SpyEye, Cridex and ZeroAccess.
ZeuS/Zbot
ZeuS, also known as Zbot, is a Trojan horse that steals banking
information through man-in-the-browser keystroke logging and by
a method known as form grabbing. ZeuS is spread mainly through
drive-by downloads and phishing schemes.
Gameover ZeuS
Gameover ZeuS is a variant of the popular ZeuS Trojan that
appeared after the release of the ZeuS source code in May 2011.
The name Gameover ZeuS was given to this variant because
an early version contained HTTP POST requests to the C&C server that contained
the keyword “gameover”. Gameover ZeuS is a significant improvement over all other
versions of ZeuS because it replaces the centralized C&C server, a single point of failure
targeted by researchers and law enforcement, with a robust peer-to-peer (P2P) network.
SpyEye
SpyEye is a Trojan that steals banking information via man-in-the-browser keystroke
logging and form grabbing. SpyEye was the leading competitor to ZeuS. Zeus source
code, however, was shared with SpyEye and the relationship became more of a
collaboration between the Trojans as opposed to competition.
Cridex
Cridex is a Trojan that steals banking information by both man-in-the-browser keystroke
logging and form grabbing. Cridex also attempts to harvest user credentials for social
media sites. Cridex is similar to ZeuS in that it is able to inject code into HTML pages
on websites contained in the configuration file and to monitor and manipulate cookies.
The stolen data is saved into a file and sent back to a C&C server.
14
ZeroAccess
ZeroAccess is a kernel-mode rootkit similar to the TDSS family of malware (including
Alureon, Tidserv, TDL). It uses advanced techniques to hide its presence, is capable of
functioning on both 32-bit and 64-bit flavors of Windows from a single installer, contains
aggressive self-defense functionality and acts as a sophisticated delivery platform for
other malware.
Common Vulnerabilities and Exposures (CVE) List
The Common Vulnerabilities and Exposures (CVE - http://cve.mitre.org/) list is a
dictionary of common names for publicly known information security vulnerabilities. A
list of each CVE used with specific exploit kits is provided in the table below.
Exploit kits are dynamic in nature and continuously evolving. The CVEs reported
for each exploit kit are accurate up to the publication of this report. The exploit kit
developers however may have modified the CVEs since publication.
CVE
SOFTWARE
DESCRIPTION
Unspecified vulnerability in the RDS.Dataspace ActiveX control, which is contained
CVE-2006-0003
MS IE
in ActiveX Data Objects (ADO) and distributed in Microsoft Data Access Components
(MDAC) 2.7 and 2.8, allows remote attackers to execute arbitrary code via unknown
attack vectors.
Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier allow remote
CVE-2007-5659
/2008-0655
ADOBE PDF
attackers to execute arbitrary code via a PDF file with long arguments to unspecified
JavaScript methods.
Exploit - collab, collectEmaillnfo
Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earlier allows
remote attackers to execute arbitrary code via a PDF file that calls the util.printf
CVE-2008-2992
ADOBE PDF
JavaScript function with a crafted format string argument, a related issue to CVE2008-1104.
Exploit - util.printf
15
CVE
SOFTWARE
DESCRIPTION
Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8
before 8.1.3, and 7 before 7.1.1 allows remote attackers to execute arbitrary code via
CVE-2009-0927
ADOBE PDF
a crafted argument to the getIcon method of a Collab object, a different vulnerability
than CVE-2009-0658.
Exploit - collab.getlco
Unspecified vulnerability in Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before
CVE-2010-0188
ADOBE PDF
9.3.1 allows attackers to cause a denial of service (application crash) or possibly
execute arbitrary code via unknown vectors.
Exploit - LibTiff Integer Overflow
Use-after-free vulnerability in the Peer Objects component (aka iepeers.dll) in
Microsoft Internet Explorer 6, 6 SP1, and 7 allows remote attackers to execute
CVE-2010-0806
MS IE
arbitrary code via vectors involving access to an invalid pointer after the deletion of an
object, as exploited in the wild in March 2010, aka “Uninitialized Memory Corruption
Vulnerability.”
Unspecified vulnerability in the Sound component in Oracle Java SE and Java
for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote
attackers to affect confidentiality, integrity, and availability via unknown vectors.
CVE-2010-0842
JAVA
NOTE: the above information was obtained from the March 2010 CPU. Oracle has
not commented on claims from a reliable researcher that this is an uncontrolled array
index that allows remote attackers to execute arbitrary code via an MIDI file with a
crafted MixerSequencer object, related to the GM_Song structure.
The MPC::HexToNum function in helpctr.exe in Microsoft Windows Help and Support
Center in Windows XP and in Windows Server 2003 does not properly handle
CVE-2010-1885
MS HCP
malformed escape sequences. This allows remote attackers to bypass the trusted
documents whitelist (from HCP option) and execute arbitrary commands via a crafted
hcp:// URL, aka "Help Center URL Validation Vulnerability."
Microsoft Internet Explorer 6, 6 SP1, 7, and 8 do not properly handle objects in
CVE-2010-0248
MS IE
memory, which allows remote attackers to execute arbitrary code by accessing
an object that (1) was not properly initialized or (2) is deleted, leading to memory
corruption, aka "HTML Object Memory Corruption Vulnerability."
16
CVE
SOFTWARE
DESCRIPTION
Unspecified vulnerability in the Deployment component in Java Runtime Environment
(JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier allows
CVE-2010-4452
JAVA
remote untrusted Java Web Start applications and untrusted Java applets to affect
confidentiality, integrity, and availability via unknown vectors.
Sun Java Applet2ClassLoader Remote Code Execution Exploit
CVE-2011-0558
ADOBE
FLASH
Integer overflow in Adobe Flash Player before 10.2.152.26 allows attackers to execute
arbitrary code via a large array length value in the ActionScript method of the Function
class.
Adobe Flash Player before 10.2.152.26 allows attackers to execute arbitrary code
or cause a denial of service (memory corruption) via crafted parameters to an
CVE-2011-0559
ADOBE
unspecified ActionScript method that causes a parameter to be used as an object
FLASH
pointer, a different vulnerability than CVE-2011-0560, CVE-2011-0561, CVE-20110571, CVE-2011-0572, CVE-2011-0573, CVE-2011-0574, CVE-2011-0578, CVE2011-0607, and CVE-2011-0608.
Adobe Flash Player before 10.2.154.27 on Windows, Mac OS X, Linux, and Solaris
and 10.2.156.12 and earlier on Android; Adobe AIR before 2.6.19140; and Authplay.
dll (aka AuthPlayLib.bundle) in Adobe Reader 9.x before 9.4.4 and 10.x through 10.0.1
on Windows, Adobe Reader 9.x before 9.4.4 and 10.x before 10.0.3 on Mac OS X,
CVE-2011-0611
ADOBE
FLASH
and Adobe Acrobat 9.x before 9.4.4 and 10.x before 10.0.3 on Windows and Mac
OS X allow remote attackers to execute arbitrary code or cause a denial of service
(application crash) via crafted Flash content, as demonstrated by a Microsoft Office
document with an embedded .swf file that has a size inconsistency in a “group of
included constants,” object type confusion, ActionScript that adds custom functions
to prototypes, and Date objects; and as exploited in the wild in April 2011.
Microsoft Office document with an embedded .swf file.
Adobe Flash Player before 10.3.181.26 on Windows, Mac OS X, Linux, and Solaris,
CVE-2011-2110
ADOBE
and 10.3.185.23 and earlier on Android, allows remote attackers to execute arbitrary
FLASH
code or cause a denial of service (memory corruption) via unspecified vectors, as
exploited in the wild in June 2011.
17
CVE
SOFTWARE
DESCRIPTION
Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and Solaris;
before 10.3.186.3 on Android, and Adobe AIR before 2.7.1 on Windows and Mac
CVE-2011-2140
ADOBE
OS X and before 2.7.1.1961 on Android, allows attackers to execute arbitrary code
FLASH
or cause a denial of service (memory corruption) via unspecified vectors, a different
vulnerability than CVE-2011-2135, CVE-2011-2417, and CVE-2011-2425. MP4
SequenceParameterSetNALUnit Buffer Overflow Exploit
Integer overflow in the Array.reduceRight method in Mozilla Firefox before 3.6.18 and
CVE-2011-2371
MOZILLA
4.x through 4.0.1, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14 allows
FIREFOX
remote attackers to execute arbitrary code via vectors involving a long JavaScript
Array object. Array.reduceRight() Exploit
Unspecified vulnerability in the U3D component in Adobe Reader and Acrobat 10.1.1
CVE-2011-2462
ADOBE PDF
and earlier on Windows and Mac OS X, and Adobe Reader 9.x through 9.4.6 on
UNIX, allows remote attackers to execute arbitrary code or cause a denial of service
(memory corruption) via unknown vectors, as exploited in the wild in December 2011.
Unspecified vulnerability in the Java Runtime Environment component in Oracle
CVE-2011-3521
JAVA
Java SE JDK and JRE, 7, 6 Update 27 and earlier, and 5.0 Update 31 earlier allows
remote untrusted Java Web Start applications and untrusted Java applets to affect
confidentiality, integrity, and availability via unknown vectors related to Deserialization.
Unspecified vulnerability in the Java Runtime Environment component in Oracle Java
SE JDK and JRE 7 and 6 Update 27 and earlier allows remote untrusted Java Web
CVE-2011-3544
JAVA
Start applications and untrusted Java applets to affect confidentiality, integrity, and
availability via unknown vectors related to Scripting.
Also affects Rhino Script Engine
Use-after-free vulnerability in Mozilla Firefox before 3.6.26 and 4.x through 9.0,
CVE-2011-3659
MOZILLA
FIREFOX
Thunderbird before 3.1.18 and 5.0 through 9.0, and SeaMonkey before 2.7 might
allow remote attackers to execute arbitrary code via vectors related to incorrect
AttributeChildRemoved notifications that affect access to removed nsDOMAttribute
child nodes.
18
CVE
SOFTWARE
DESCRIPTION
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle
Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and JavaFX 2.0.2 and earlier
CVE-2012-0500
JAVA
allows remote untrusted Java Web Start applications and untrusted Java applets
to affect confidentiality, integrity, and availability via unknown vectors related to
Deployment.
Sun Java Web Start Plug-in Command Line Argument Injection
Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33 and
earlier allows remote attackers to affect confidentiality, integrity, and availability via
unknown vectors related to Concurrency. NOTE: the above information was obtained
CVE-2012-0507
JAVA
from the February 2012 Oracle CPU. Oracle has not commented on claims from a
downstream vendor and third-party researchers that this issue occurs because the
AtomicReferenceArray class implementation does not ensure that the array is of
the Object[] type, which allows attackers to cause a denial of service (JVM crash) or
bypass Java sandbox restrictions. NOTE: this issue was originally mapped to CVE2011-3571, but that identifier was already assigned to a different issue.
Adobe Flash Player before 10.3.183.19 and 11.x before 11.2.202.235 on Windows,
CVE-2012-0779
ADOBE
FLASH
Mac OS X, and Linux; before 11.1.111.9 on Android 2.x and 3.x; and before
11.1.115.8 on Android 4.x allows remote attackers to execute arbitrary code via a
crafted file, related to an "object confusion vulnerability," as exploited in the wild in
May 2012.
CVE-2012-1723
JAVA
Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and
1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and
availability via unknown vectors related to Hotspot.
Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 access uninitialized memory
CVE-2012-1889
XML
locations, which allows remote attackers to execute arbitrary code or cause a denial
of service (memory corruption) via a crafted web site.
19
CVE
SOFTWARE
DESCRIPTION
Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle
Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via
a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.
CVE-2012-4681
JAVA
beans.finder.ClassFinder.findClass and leveraging an exception with the forName
method to access restricted classes from arbitrary packages such as sun.awt.
SunToolkit, then (2) using “reflection with a trusted immediate caller” to leverage the
getField method to access and modify private fields, as exploited in the wild in August
2012 using Gondzz.class and Gondvv.class.
Use-after-free vulnerability in the CMshtmlEd::Exec function in mshtml.dll in Microsoft
CVE-2012-4969
MS IE
Internet Explorer 6 through 9 allows remote attackers to execute arbitrary code via a
crafted web site, as exploited in the wild in September 2012.
Conclusion
Exploit kits remain a popular method for cyber criminals to execute attacks on
unknowing victims. These kits are frequently updated and modified to take advantage
of newly-discovered vulnerabilities and to elude security researcher as well as law
enforcement. Using an exploit kit, attackers without a great deal of computer savvy are
able to execute attacks. Staying informed about the latest updates to exploit kits, the
vulnerabilities they exploit and the attacks they employ will help organizations as well as
end-users thwart the efforts of attackers and protect themselves from attacks.
20
About Solutionary
Solutionary is the leading pure-play managed security service provider (MSSP), focused
on delivering managed security services and global threat intelligence. Comprehensive
Solutionary security monitoring and security device management services protect
traditional and virtual IT infrastructures, cloud environments and mobile data. Solutionary
Learn More
clients are able to optimize current security programs, make informed security
decisions, achieve regulatory compliance and reduce costs. The patented, cloud-based
ActiveGuard® service platform uses multiple detection technologies and advanced
analytics to protect against advanced threats. The Solutionary Security Engineering
Research Team (SERT) researches the global threat landscape, providing actionable
threat intelligence, enhanced threat detection and mitigating controls. Experienced,
certified Solutionary security experts act as an extension of clients’ internal teams,
providing industry-leading client service to global enterprise and mid-market clients in a
wide range of industries, including financial services, healthcare, retail and government.
Services are delivered 24/7 through multiple, state-of-the-art Security Operations Centers
(SOCs) in North America.
To learn more about Solutionary,
the leading pure-play Managed
Security Service Provider,
and how the ActiveGuard®
service platform could protect
your enterprise, request a
demonstration today by calling
866-333-2133.
Contact Solutionary at: info@solutionary.com or 866-333-2133
Solutionary.com
ActiveGuard® US Patent Numbers: 7,168,093; 7,424,743; 6,988,208; 7,370,359; 7,673,049; 7,954,159, 8,261,347.
Solutionary, the Solutionary logo, ActiveGuard, the ActiveGuard logo, are registered trademarks or service marks
of Solutionary, Inc. or its subsidiaries in the United States. Other marks and brands may be claimed as the property
of others. The product plans, specifications, and descriptions herein are provided for information only and subject
to change without notice, and are provided without warranty of any kind, express or implied. Copyright ©2013
Solutionary, Inc.
Solutionary, Inc.
21
9420 Underwood Ave., 3rd Floor
Omaha, NE 68114
1174SR
02/13

Exploit Kits - v1.0

Transcription

Similar documents

Where you come to know.

ESL-- Model Standards for Adult Education Programs

NB-180 NEWBURG

Nitidas Textildruck Technische Daten

Johnny Tremain by Esther Forbes Objectives

How to search in Cause List

Please wait

Modello Opzione di Voto-REFERENDUM

Times 77.Fall_Layout 1 - Bi

Zoukei-mura Concept Note SWS IV