12345

8/29/2012

[Information] 2012 London Olympic schedule, or a malicious file.

1. Introduction

London 2012 Olympic Games will be held, and the world's attention has been focused on the Olympics. Athletes are playing games and malicious attackers are spreading malicious files disguised as Olympic schedule. This malicious file uses PDF font exploit and it can print Olympic schedule. Therefore, general users can't recognize whether they were infected or not.



2. Spreading path and symptom of infection

This file can be spread via attachment of e-mail, SNS, link on messenger. It uses PDF font exploit and following is affected versions.

Affect-able versions

- Adobe Reader 9.3.4 or lower
- Adobe Acrobat 9.3.4 or lower

In case of this malicious file, it used exploit which can cause stack overflow with using certain table of encrypted TTF(TrueTypeFont) stream on PDF file. Code is as following.


Upon executing this application program, it shows PDF file as following.


Besides, it creates additional malicious file on following path.

Created files

- (User temp folder)\~temqp.tmp (53,248 bytes)
- (User temp folder)\explorer.exe (53,248 bytes)
- (User temp folder)\~vmdmc.exe (484,864 bytes, copy of normal cmd.exe)

Registry values

- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- Name : "arun"
- Data : "(User temp folder)\explorer.exe"

(User temp folder) is generally "C\Documents and Settings\(User account)\Local Settings\Temp".

These malicious files have WORD file's icon.


And, these malicious files tried to access on certain external site of China, but that site can't be connected no more.


3. How to prevent

In case of these malicious files using document file exploit, precaution is almost impossible. Furthermore, these can be combined with social engineering technique. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.
nProtect Anti-Virus/Spyware v3.0 diagnoses and treats various variant files.

Free installation link of nProtect AVS : http://avs.nprotect.com/

- Diagnosis names

- Trojan/W32.Agent.53248.CYM
- Trojan-Exploit/W32.Pidief.291556.JVF
- Trojan/W32.Agent.53248.DDR

8/28/2012

Microsoft Security Bulletin Summary for August 2012

1. Introduction

Microsoft(MS)'s regular security updates were released for August 2012.
Users who use MS OS strongly recommended update to be safe from Vulnerability in Remote Desktop Could Allow Remote Code Execution, Vulnerabilities in Windows Networking Components Could Allow Remote Code Execution, Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege, Vulnerability in JScript and VBScript Engines Could Allow Remote Code Execution, Vulnerability in Microsoft Office Could Allow Remote Code Execution, Vulnerabilities in Microsoft Exchange Server WebReady Document Viewing Could Allow Remote Code Execution, Vulnerability in Microsoft Visio Could Allow Remote Code Execution, and Vulnerability in Windows Common Controls Could Allow Remote Code Execution.



2. Update details

[Critical]
[MS12-052] Cumulative Security Update for Internet Explorer (2722913)

Vulnerability: Layout Memory Corruption Vulnerability - CVE-2012-1526
Asynchronous NULL Object Access Remote Code Execution Vulnerability - CVE-2012-2521
Virtual Function Table Corruption Remote Code Execution Vulnerability - CVE-2012-2522
JavaScript Integer Overflow Remote Code Execution Vulnerability - CVE-2012-2523 


This security update resolves four privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Affected Softwares

- Internet Explorer 6 with Windows XP Service Pack 3
- Internet Explorer 6 with Windows XP Professional x64 Edition SP2
- Internet Explorer 6 with Windows Server 2003 SP2
- Internet Explorer 6 with Windows Server 2003 x64 Edition SP2
- Internet Explorer 6 with Windows Server 2003 with SP2 for Itanium-based Systems
- Internet Explorer 7 with Windows XP SP3
- Internet Explorer 7 with Windows XP Professional x64 Edition SP2
- Internet Explorer 7 with Windows Server 2003 SP2
- Internet Explorer 7 with Windows Server 2003 x64 Edition SP2
- Internet Explorer 7 with Windows Server 2003 with SP2 for Itanium-based Systems
- Internet Explorer 7 whit Windows Vista SP2
- Internet Explorer 7 with Windows Vista x64 Edition SP2
- Internet Explorer 7 with Windows Server 2008 for 32-bit Systems SP2
- Internet Explorer 7 with Windows Server 2008 for x64-based Systems SP2
- Internet Explorer 7 with Windows Server 2008 for Itanium-based Systems SP2
- Internet Explorer 8 with Windows XP SP3
- Internet Explorer 8 with Windows XP Professional x64 Edition SP2
- Internet Explorer 8 with Windows Server 2003 SP2
- Internet Explorer 8 with Windows Server 2003 x64 Edition SP2
- Internet Explorer 8 with Windows 7 for 32-bit and Windows 7 for 32-bit SP1
- Internet Explorer 8 with Windows 7 for x64-based and Windows 7 for x64-based SP1
- Internet Explorer 8 whit Windows Vista SP2
- Internet Explorer 8 with Windows Vista x64 Edition SP2
- Internet Explorer 8 with Windows Server 2008 for 32-bit Systems SP2
- Internet Explorer 8 with Windows Server 2008 for 64-bit Systems SP2
- Internet Explorer 8 with Windows 2008 R2 for x64-based Systems SP1
- Internet Explorer 8 with Windows 2008 R2 for Itanium-based Systems SP1
- Internet Explorer 9 with Windows Vista SP2
- Internet Explorer 9 with Windows Vista x64 Edition SP2
- Internet Explorer 9 with Windows Server 2008 for 32-bit SP2
- Internet Explorer 9 with Windows Server 2008 for 64-bit Itanium-based Systems SP2
- Internet Explorer 9 with Windows 7 for 32-bit and Windows 7 for 32-bit SP1
- Internet Explorer 9 with Windows 7 for x64-based and Windows 7 for x64-based SP1
- Internet Explorer 9 with Windows Server 2008 R2 for 64-bit and Windows Server 2008 R2 for 64-bit SP1

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-052



[Critical]
[MS12-053] Vulnerability in Remote Desktop Could Allow Remote Code Execution (2723135)

Vulnerability: Remote Desktop Protocol Vulnerability - CVE-2012-2526 


This security update resolves a privately reported vulnerability in the Remote Desktop Protocol. The vulnerability could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system. By default, the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.

Affected Softwares

- Windows XP SP3

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-053




[Critical]
[MS12-054] Vulnerabilities in Windows Networking Components Could Allow Remote Code Execution (2733594)
Vulnerability: Remote Administration Protocol Denial of Service Vulnerability - CVE-2012-1850
Print Spooler Service Format String Vulnerability - CVE-2012-1851
Remote Administration Protocol Heap Overflow Vulnerability - CVE-2012-1852
Remote Administration Protocol Stack Overflow Vulnerability - CVE-2012-1853 


This security update resolves four privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if an attacker sends a specially crafted response to a Windows print spooler request. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems connected directly to the Internet have a minimal number of ports exposed.

Affected Softwares

- Windows XP SP3
- Windows XP Professional x64 Edition SP2
- Windows Server 2003 SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2003 Itanium-based SP2
- Windows Vista SP2
- Windows Vista x64 Edition SP2
- Windows Server 2008 for 32bit and Windows 2008 for 32bit SP2
- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP2
- Windows Server 2008 for Itanium-based and Windows Server 2008 for Itanium SP2
- Windows 7 for 32-bit and Windows 7 for 32bit SP1
- Windows 7 for x64-based and Windows 7 for x64-based SP1
- Windows Server 2008 R2 for x64-based and Windows Server R2 for x64-based SP1
- Windows Server 2008 R2 for Itanium-based and Windows Server 2008 R2 for Itanium SP1

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-054



[Important]
[MS12-055] Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2731847)

Vulnerability: Win32k Use After Free Vulnerability - CVE-2012-2527 


This security update resolves one privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

Affected Softwares

- Windows XP SP3
- Windows XP Professional x64 Edition SP2
- Windows Server 2003 SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2003 Itanium-based SP2
- Windows Vista SP2
- Windows Vista x64 Edition SP2
- Windows Server 2008 for 32bit and Windows 2008 for 32bit SP2
- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP2
- Windows Server 2008 for Itanium-based and Windows Server 2008 for Itanium SP2
- Windows 7 for 32-bit and Windows 7 for 32bit SP1
- Windows 7 for x64-based and Windows 7 for x64-based SP1
- Windows Server 2008 R2 for x64-based and Windows Server R2 for x64-based SP1
- Windows Server 2008 R2 for Itanium-based and Windows Server 2008 R2 for Itanium SP1

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-055


[Important]

[MS12-056] Vulnerability in JScript and VBScript Engines Could Allow Remote Code Execution (2706045)

Vulnerability: JavaScript Integer Overflow Remote Code Execution Vulnerability - CVE-2012-2523 


This security update resolves a privately reported vulnerability in the JScript and VBScript scripting engines on 64-bit versions of Microsoft Windows. The vulnerability could allow remote code execution if a user visited a specially crafted website. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.

Affected Softwares

- Windows XP Professional x64 Edition SP2
- Windows Server 2003 x64 Edition SP2
- Windows Vista x64 Edition SP2
- Windows Server 2008 for x64-based Systems SP2
- Windows 7 for x64-based Systems
- Windows 7 for x64-based Systems SP1
- Windows Server 2008 R2 for x64-based Systems
- Windows Server 2008 R2 for x64-based Systems SP1
- Windows Server 2008 R2 for Itanium-based Systems
- Windows Server 2008 R2 for Itanium-based Systems SP1

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-056


[Important]

[MS12-057] Vulnerability in Microsoft Office Could Allow Remote Code Execution (2731879)

Vulnerability: CGM File Format Memory Corruption Vulnerability - CVE-2012-2524 


This security update resolves one privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted file or embeds a specially crafted Computer Graphics Metafile (CGM) graphics file into an Office file. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Affected Softwares

- Microsoft Office 2007 SP2
- Microsoft Office 2007 SP3
- Microsoft Office 2010 SP1 (32bit)
- Microsoft Office 2010 SP1 (64bit)

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-057



[Important]
[MS12-058] Vulnerabilities in Microsoft Exchange Server WebReady Document Viewing Could Allow Remote Code Execution (2740358)

Vulnerability: Oracle Outside In contains multiple exploitable vulnerabilities 


This security update resolves publicly disclosed vulnerabilities in Microsoft Exchange Server WebReady Document Viewing. The vulnerabilities could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App (OWA). The transcoding service in Exchange that is used for WebReady Document Viewing is running in the LocalService account. The LocalService account has minimum privileges on the local computer and presents anonymous credentials on the network.

Affected Softwares

- Microsoft Exchange Server 2007 SP3
- Microsoft Exchange Server 2010 SP1
- Microsoft Exchange Server 2010 SP2

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-058


[Important]

[MS12-059] Vulnerability in Microsoft Visio Could Allow Remote Code Execution (2733918)

Vulnerability: Visio DXF File Format Buffer Overflow Vulnerability - CVE-2012-1888 


This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Affected Softwares

- Microsoft Visio 2010 SP1(32bit)
- Microsoft Visio 2010 SP1(64bit)
- Microsoft Visio Viewer 2010 SP1(32bit)
- Microsoft Visio Viewer 2010 SP1(64bit)

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-059


[Important]

[MS12-060] Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2720573)

Vulnerability: MSCOMCTL.OCX RCE Vulnerability - CVE-2012-1856 


This security update resolves a privately reported vulnerability in Windows common controls. The vulnerability could allow remote code execution if a user visits a website containing specially crafted content designed to exploit the vulnerability. In all cases, however, an attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website. The malicious file could be sent as an email attachment as well, but the attacker would have to convince the user to open the attachment in order to exploit the vulnerability.

Affected Softwares

- Microsoft Office 2003 SP3
- Microsoft Office 2003 Web Components SP3
- Microsoft Office 2007 SP2
- Microsoft Office 2007 SP3
- Microsoft Office 2010 SP1 (32bit)
- Microsoft SQL Server 2000 SP4
- Microsoft SQL Server 2000 Analysis Services SP4
- Microsoft SQL Server 2005 Express Edition with Advanced Services SP4
- Microsoft SQL Server 2005(32bit) SP4
- Microsoft SQL Server 2005 for x64-based Systems SP4
- Microsoft SQL Server 2005 for Itanium-based Systems SP4
- Microsoft SQL Server 2008 for 32-bit Systems SP2
- Microsoft SQL Server 2008 for 32-bit Systems SP3
- Microsoft SQL Server 2008 for x64-based Systems SP2
- Microsoft SQL Server 2008 for x64-based Systems SP3
- Microsoft SQL Server 2008 for Itanium-based Systems SP2
- Microsoft SQL Server 2008 for Itanium-based Systems SP3
- Microsoft SQL Server 2008 R2 for 32-bit Systems
- Microsoft SQL Server 2008 R2 for 32-bit Systems SP1
- Microsoft SQL Server 2008 R2 for 32-bit Systems SP2
- Microsoft SQL Server 2008 R2 for x64-based Systems
- Microsoft SQL Server 2008 R2 for x64-based Systems SP1
- Microsoft SQL Server 2008 R2 for x64-based Systems SP2
- Microsoft SQL Server 2008 R2 for Itanium-based Systems
- Microsoft SQL Server 2008 R2 for Itanium-based Systems SP1
- Microsoft SQL Server 2008 R2 for Itanium-based Systems SP2
- Microsoft Commerce Server 2002 SP4
- Microsoft Commerce Server 2007 SP2
- Microsoft Commerce Server 2009
- Microsoft Commerce Server 2009 R2
- Microsoft Host Integration Server 2004 SP1
- Microsoft Visual FoxPro 8.0 SP1
- Microsoft Visual FoxPro 9.0 SP2
- Visual Basic 6.0 Runtime

Microsoft Security Bulletin Summary for July 2012

1. Introduction

Microsoft(MS)'s regular security updates were released for July 2012.
Users who use MS OS strongly recommended update to be safe from Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution, Vulnerability in Microsoft Data Access Components Could Allow Remote Code Execution, Vulnerability in Visual Basic for Applications Could Allow Remote Code Execution, Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege, Vulnerability in Windows Shell Could Allow Remote Code Execution, Vulnerability in TLS Could Allow Information Disclosure, Vulnerabilities in SharePoint Could Allow Elevation of Privilege and Vulnerability in Microsoft Office for Mac Could Allow Elevation of Privilege.



2. Update details

[Critical]
[MS12-043] Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2722479)
Vulnerability: MSXML Uninitialized Memory Corruption Vulnerability - CVE-2012-1889

This security update resolves a publicly disclosed vulnerability in Microsoft XML Core Services. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes the user to the attacker's website.

Affected Softwares

- Windows XP SP3 Microsoft XML Core Services 3.0
- Windows XP SP3 Microsoft XML Core Services 4.0
- Windows XP SP3 Microsoft XML Core Services 6.0
- Windows XP Professional x64 Edition SP2 Microsoft XML Core Services 3.0
- Windows XP Professional x64 Edition SP2 Microsoft XML Core Services 4.0
- Windows XP Professional x64 Edition SP2 Microsoft XML Core Services 6.0
- Windows Server 2003 SP2 Microsoft XML Core Services 3.0
- Windows Server 2003 SP2 Microsoft XML Core Services 4.0
- Windows Server 2003 SP2 Microsoft XML Core Services 6.0
- Windows Server 2003 x64 Edition SP2 Microsoft XML Core Services 3.0
- Windows Server 2003 x64 Edition SP2 Microsoft XML Core Services 4.0
- Windows Server 2003 x64 Edition SP2 Microsoft XML Core Services 6.0
- Windows Server 2003 SP2 Itanium-based Microsoft XML Core Services 3.0
- Windows Server 2003 SP2 Itanium-based Microsoft XML Core Services 4.0
- Windows Server 2003 SP2 Itanium-based Microsoft XML Core Services 6.0
- Windows Vista SP2 Microsoft XML Core Services 3.0
- Windows Vista SP2 Microsoft XML Core Services 4.0
- Windows Vista SP2 Microsoft XML Core Services 6.0
- Windows Vista x64 Edition SP2 Microsoft XML Core Services 3.0
- Windows Vista x64 Edition SP2 Microsoft XML Core Services 4.0
- Windows Vista x64 Edition SP2 Microsoft XML Core Services 6.0
- Windows Server 2008 32bit SP2 Microsoft XML Core Services 3.0
- Windows Server 2008 32bit SP2 Microsoft XML Core Services 4.0
- Windows Server 2008 32bit SP2 Microsoft XML Core Services 6.0
- Windows Server 2008 64bit SP2 Microsoft XML Core Services 3.0
- Windows Server 2008 64bit SP2 Microsoft XML Core Services 4.0
- Windows Server 2008 64bit SP2 Microsoft XML Core Services 6.0
- Windows Server 2008 Itanium-based SP2 Microsoft XML Core Services 3.0
- Windows Server 2008 Itanium-based SP2 Microsoft XML Core Services 4.0
- Windows Server 2008 Itanium-based SP2 Microsoft XML Core Services 6.0
- Windows 7 32bit Microsoft XML Core Services 3.0
- Windows 7 32bit Microsoft XML Core Services 4.0
- Windows 7 32bit Microsoft XML Core Services 6.0
- Windows 7 32bit SP1 Microsoft XML Core Services 3.0
- Windows 7 32bit SP1 Microsoft XML Core Services 4.0
- Windows 7 32bit SP1 Microsoft XML Core Services 6.0
- Windows 7 64bit Itanium-based Microsoft XML Core Services 3.0
- Windows 7 64bit Itanium-based Microsoft XML Core Services 4.0
- Windows 7 64bit Itanium-based Microsoft XML Core Services 6.0
- Windows 7 64bit SP1 Itanium-based Microsoft XML Core Services 3.0
- Windows 7 64bit SP1 Itanium-based Microsoft XML Core Services 4.0
- Windows 7 64bit SP1 Itanium-based Microsoft XML Core Services 6.0
- Windows Server 2008 R2 64bit based Microsoft XML Core Services 3.0
- Windows Server 2008 R2 64bit based Microsoft XML Core Services 6.0
- Windows Server 2008 R2 64bit SP1 based Microsoft XML Core Services 3.0
- Windows Server 2008 R2 64bit SP1 based Microsoft XML Core Services 4.0
- Windows Server 2008 R2 64bit SP1 based Microsoft XML Core Services 6.0
- Windows Server 2008 R2 Itanium-based Microsoft XML Core Services 3.0
- Windows Server 2008 R2 Itanium-based Microsoft XML Core Services 4.0
- Windows Server 2008 R2 Itanium-based Microsoft XML Core Services 6.0
- Windows Server 2008 R2 SP1 Itanium-based Microsoft XML Core Services 3.0
- Windows Server 2008 R2 SP1 Itanium-based Microsoft XML Core Services 4.0
- Windows Server 2008 R2 SP1 Itanium-based Microsoft XML Core Services 6.0

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-043




[Critical]
[MS12-044] Cumulative Security Update for Internet Explorer (2719177)
Vulnerability: Cached Object Remote Code Execution Vulnerability - CVE-2012-1522
Attribute Remove Remote Code Execution Vulnerability - CVE-2012-1524


This security update resolves two privately reported vulnerabilities in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Affected Softwares

- Internet Explorer 9 with Windows Vista SP2
- Internet Explorer 9 with Windows Vista x64 Edition SP2
- Internet Explorer 9 with Windows Server 2008 for 32-bit SP2
- Internet Explorer 9 with Windows Server 2008 for 64-bit based Systems SP2
- Internet Explorer 9 with Windows 7 for 32-bit and Windows 7 for 32-bit SP1
- Internet Explorer 9 with Windows 7 for x64-based and Windows 7 for x64-based SP1
- Internet Explorer 9 with Windows Server 2008 R2 for 64-bit and Windows Server 2008 R2 for 64-bit SP1

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-044



[Critical]
[MS12-045] Vulnerability in Microsoft Data Access Components Could Allow Remote Code Execution (2698365)
Vulnerability: ADO Cachesize Heap Overflow RCE Vulnerability - CVE-2012-1891

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user views a specially crafted webpage. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Affected Softwares

- Windows XP SP3 Microsoft Data Access Components 2.8 SP1
- Windows XP Professional x64 Edition SP2 Microsoft Data Access Components 2.8 SP2
- Windows Server 2003 SP2 Microsoft Data Access Components 2.8 SP2
- Windows Server 2003 x64 Edition SP2 Microsoft Data Access Components 2.8 SP2
- Windows Server 2003 with SP2 for Itanium-based Systems Microsoft Data Access Components 2.8 SP2
- Windows Vista SP2 Windows Data Access Components 6.0
- Windows Vista x64 Edition SP2 Windows Data Access Components 6.0
- Windows Server 2008 for 32-bit Systems SP2 Windows Data Access Components 6.0
- Windows Server 2008 for x64-based SP2 Windows Data Access Components 6.0
- Windows Server 2008 for Itanium-based Systems SP2 Windows Data Access Components 6.0
- Windows 7 for 32-bit Systems Windows Data Access Components 6.0
- Windows 7 for 32-bit Systems SP1 Windows Data Access Components 6.0
- Windows 7 for x64-based Systems Windows Data Access Components 6.0
- Windows 7 for x64-based Systems SP1 Windows Data Access Components 6.0
- Windows Server 2008 R2 for x64-based Systems Windows Data Access Components 6.0
- Windows Server 2008 R2 for x64-based Systems SP1 Windows Data Access Components 6.0
- Windows Server 2008 R2 for Itanium-based Systems Windows Data Access Components 6.0
- Windows Server 2008 R2 for Itanium-based Systems SP1 Windows Data Access Components 6.0

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-045



[Important]
[MS12-046] Vulnerability in Visual Basic for Applications Could Allow Remote Code Execution (2707960)
Vulnerability: Visual Basic for Applications Insecure Library Loading Vulnerability - CVE-2012-1854

This security update resolves one publicly disclosed vulnerability in Microsoft Visual Basic for Applications. The vulnerability could allow remote code execution if a user opens a legitimate Microsoft Office file (such as a .docx file) that is located in the same directory as a specially crafted dynamic link library (DLL) file. An attacker could then install programs; view, change, or delete data; or create new accounts that have full user rights. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Affected Softwares

- Microsoft Office 2003 Service Pack 3
- Microsoft Office 2007 Service Pack 2
- Microsoft Office 2007 Service Pack 3
- Microsoft Office 2010 32-bit
- Microsoft Office 2010 SP1 32-bit
- Microsoft Office 2010 64-bit
- Microsoft Office 2010 SP1 64-bit

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-046



[Important]
[MS12-047] Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2718523)
Vulnerability: Keyboard Layout Vulnerability - CVE-2012-1890
Win32k Incorrect Type Handling Vulnerability - CVE-2012-1893


This security update resolves one publicly disclosed and one privately reported vulnerability in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

Affected Softwares

- Windows XP SP3
- Windows XP Professional x64 Edition SP2
- Windows Server 2003 SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2003 Itanium-based SP2
- Windows Vista SP2
- Windows Vista x64 Edition SP2
- Windows Server 2008 for 32bit and Windows Server 2008 for 32bit SP2 *
- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP2 *
- Windows Server 2008 for Itanium-based and Windows Server 2008 for Itanium SP2
- Windows 7 for 32-bit and Windows 7 for 32bit SP1
- Windows 7 for x64-based and Windows 7 for x64-based SP1
- Windows Server 2008 R2 for x64-based and Windows Server R2 for x64-based SP1 *
- Windows Server 2008 R2 for Itanium-based and Windows Server 2008 R2 for Itanium SP1 *

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-047



[Important]
[MS12-048] Vulnerability in Windows Shell Could Allow Remote Code Execution (2691442)
Vulnerability: Command Injection Vulnerability - CVE-2012-0175

This security update resolves one privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a file or directory with a specially crafted name. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Affected Softwares

- Windows XP SP3
- Windows XP Professional x64 Edition SP2
- Windows Server 2003 SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2003 Itanium-based SP2
- Windows Vista SP2
- Windows Vista x64 Edition SP2
- Windows Server 2008 for 32bit and Windows Server 2008 for 32bit SP2 *
- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP2 *
- Windows Server 2008 for Itanium-based and Windows Server 2008 for Itanium SP2
- Windows 7 for 32-bit and Windows 7 for 32bit SP1
- Windows 7 for x64-based and Windows 7 for x64-based SP1
- Windows Server 2008 R2 for x64-based and Windows Server R2 for x64-based SP1 *
- Windows Server 2008 R2 for Itanium-based and Windows Server 2008 R2 for Itanium SP1 *

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-048



[Important]
[MS12-049] Vulnerability in TLS Could Allow Information Disclosure (2655992)
Vulnerability: TLS Protocol Vulnerability - CVE-2012-1870

This security update resolves a publicly disclosed vulnerability in TLS. The vulnerability could allow information disclosure if an attacker intercepts encrypted web traffic served from an affected system. All cipher suites that do not use CBC mode are not affected.

Affected Softwares

- Windows XP SP3
- Windows XP Professional x64 Edition SP2
- Windows Server 2003 SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2003 Itanium-based SP2
- Windows Vista SP2
- Windows Vista x64 Edition SP2
- Windows Server 2008 for 32bit and Windows Server 2008 for 32bit SP2 *
- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP2 *
- Windows Server 2008 for Itanium-based and Windows Server 2008 for Itanium SP2
- Windows 7 for 32-bit and Windows 7 for 32bit SP1
- Windows 7 for x64-based and Windows 7 for x64-based SP1
- Windows Server 2008 R2 for x64-based and Windows Server R2 for x64-based SP1 *
- Windows Server 2008 R2 for Itanium-based and Windows Server 2008 R2 for Itanium SP1 *

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-049



[Important]
[MS12-050] Vulnerabilities in SharePoint Could Allow Elevation of Privilege (2695502)
Vulnerability: HTML Sanitization Vulnerability - CVE-2012-1858
XSS scriptresx.ashx Vulnerability - CVE-2012-1859
SharePoint Search Scope Vulnerability - CVE-2012-1860
SharePoint Script in Username Vulnerability - CVE-2012-1861
SharePoint URL Redirection Vulnerability - CVE-2012-1862
SharePoint Reflected List Parameter Vulnerability - CVE-2012-1863


This security update resolves one publicly disclosed and five privately reported vulnerabilities in Microsoft SharePoint and Windows SharePoint Services. The most severe vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL that takes the user to a targeted SharePoint site.

Affected Softwares

- Microsoft InfoPath 2007 SP2
- Microsoft InfoPath 2007 SP3
- Microsoft InfoPath 2010 32-bit
- Microsoft InfoPath 2010 SP1 32-bit
- Microsoft InfoPath 2010 64-bit
- Microsoft InfoPath 2010 SP1 64-bit
- Microsoft Office SharePoint Server 2007 SP2 32-bit
- Microsoft Office SharePoint Server 2007 SP3 32-bit
- Microsoft Office SharePoint Server 2007 SP2 64-bit
- Microsoft Office SharePoint Server 2007 SP3 64-bit
- Microsoft SharePoint Server 2010
- Microsoft SharePoint Server 2010 SP1
- Microsoft Groove Server 2010
- Microsoft Groove Server 2010 SP1
- Microsoft Windows SharePoint Services 3.0 SP2 32-bit
- Microsoft Windows SharePoint Services 3.0 SP2 64-bit
- Microsoft SharePoint Foundation 2010
- Microsoft SharePoint Foundation 2010 SP1
- Microsoft Office Web Apps 2010
- Microsoft Office Web Apps 2010 SP1

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-050



[Important]
[MS12-051] Vulnerability in Microsoft Office for Mac Could Allow Elevation of Privilege (2721015)
Vulnerability: Office for Mac Improper Folder Permissions Vulnerability - CVE-2012-1894

This security update resolves one publicly disclosed vulnerability in Microsoft Office for Mac. The vulnerability could allow elevation of privilege if a malicious executable is placed on an affected system by an attacker, and then another user logs on later and runs the malicious executable. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

Affected Softwares

- Microsoft Office for Mac 2011

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-051

8/23/2012

[Issue] APT attack from Taiwan related one of Taiwanese airline companies

1. Introduction

INCA Internet response team announced Taiwanese APT attack with using time interval April, 2012 and still collects related information. Among them, we found another type of APT attack disguised as sent from airline company(EVA AIR). Attacker aimed for officers who work at Council of Agriculture (Republic of China) and Department of Health (Republic of China).
Malicious file used for attack was disguised as a receipt of e-ticket and its icon as a folder.

INCA Internet response team are chasing for assuming that this attack will be one of previous APT attacks for office workers.



2. APT attack disguised as sent by airline company

[Issue] Several APT attacks on Taipei with time interval 

Attacking cases for Taiwanese government officers are continuously found still in these days. First of all, attacker attacked to officers who work for marketing team of Council of Agriculture (Republic of China) with sending message as "EVA Airline e-ticket receipt" including malicious files on July 3, 2012.

This e-mail contains compressed file(69380236_10107_receipt.rar) which contains malicious file, "69380236_10107_receipt.exe".


Next day, similar malicious mails sent to officers who work for public health team of Department of Health (Republic of China) with sending message as "Special price of Cathay Pacific Airlines".


We can assume that one attacker or organization made same attack due to same malicious files.


"69380236_10107_receipt.rar" contains malicious file which has folder-typed icon.


Upon executing "69380236_10107_receipt.exe", it will create "atievxx.exe" on (Temp) folder.


And then, it will create "69380236_10107_receipt" folder and 69380236_10107_receipt.pdf" file its inside.


"69380236_10107_receipt.pdf" is locked by password. These days, we got many locked files using for APT attack. Therefore, locked files especially document files including(PDF, HWP, DOC, XLS) has great possibility of malicious file. When you think you are infected, you'd better change your e-mail password and personal information.


"atievxx.exe" will wait additional command and can be exposed by leaking various information and working as a backdoor from attacker after accessed certain host in Hong Kong.


3. Summary

We have to notice that various APT attacks are booming in these days. Besides, users need to be careful from being exposed by security threats. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.
nProtect Anti-Virus/Spyware v3.0 diagnoses and treats various variant files.

Free installation link of nProtect AVS : http://avs.nprotect.com/

8/22/2012

[Issue] Multi APT attacks for both Mac and Windows

1. Information

INCA Internet response team detected multi APT attack for both Mac OS of Apple and Windows OS of Microsoft. Most of reported APT attacks were for Windows so far, however; we got APT attacks for Mac. It means that attackers reflect the rapid growth of Mac user and try to generate malicious file for Mac user. Therefore, Mac users need to be careful from malicious files.
Especially, we need to careful on attachment of e-mail.



2. Malicious file attacking procedure and technique

It attacked with malicious email which contains Uyghur People related contents on Jun, 2012.


Recipient used yahoo Canada's mail service, but he uses Uyghur language on universal web site and uses his name as Uyghurmen.


E-mails are written on 2 types, their attachment name was "matiriyal.zip" but one for Mac and another for Windows malicious file.

Following figure is malicious file for Mac OS.



Following figure is malicious file for Windows.



Each attachment contains same JPG file which is as following.

She is Rebiya Kadeer,a Uyghur human rights activist with origins in Xinjiang, China. Kadeer is the symbolic leader of Uighur self-determination movement in her capacity as President of the World Uyghur Congress, a group that advocates for greater autonomy for Uyghurs in China and fights against what they consider to be oppressive policies of the Chinese government.



Malicious file for Mac is located on "\matiriyal.app\Contents\MacOS\iCnat" and works as Backdoor. Besides it contains some typos including "Recieve", "os verison", "memery".


This malicious file tries to access certain C&C server on China and can perform various additional attacks.



"matiriyal.exe", malicious file for Windows is disguised its icon as MS Word file and compressed by RAR SFX. It contains "1.exe".


"1.exe" creates "kbdmgr.exe" on Temp folder and makes start program folder as hidden. It creates "kbdmgr.lnk" and makes malicious file run on boot.

Both malicious files are coded for similar works and malicious file for Windows contains certain string "DDoS".


3. Summary

We have to notice that malicious files for Mac are spreading in these days. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.
nProtect Anti-Virus/Spyware v3.0 diagnoses and treats various variant files.

Free installation link of nProtect AVS : http://avs.nprotect.com/