PlugX Trojan was seen making the rounds (July 30, 2015)

/in /by

The Dell SonicWALL Threat Research team has received reports of a Trojan called PlugX or Korplug which has recently been seen compromising various U.S. Government entities and other industries such as aerospace, media, healthcare and telecommunication networks. This Trojan has been reported to be in existence since 2008 and over the few years, PlugX has seen continuous development and use in targeted attacks resulting to theft of sensitive information.

Infection Cycle:

PlugX has previously been seen bundled with online game installations but more recently seen delivered via email spear phishing. These emails would contain a malicious rich text document which utilizes vulnerabilities in Microsoft Word which could allow remote code execution. Several variants have leveraged exploits for CVE-2012-0158 and CVE-2014-1761; both of which have been resolved by Microsoft.

Once dropped on the victim machine, the main installer of this Trojan comes as a self-extracting RAR file and may use the following icons:

More recent variant of this Trojan creates these files in the following directories:

  • %Userprofile%SxSNvSmart.exe – a benign file with a valid digital signature from a well-known vendor (e.g. Symantec, Microsoft, McAfee, Samsung and in this case, Nvidia)
  • %Userprofile%SxSNvSmartMax.dll – malicious dll [Detected as GAV: PlugX.DLL (Trojan) ]
  • %Userprofile%SxSxxx.xxx – a configuration file

NvSmart.exe imports functions from NvSmartMax.dll. In a typical installation, it would load the legitimate Nvidia library but since a malicious DLL with the same name is present in the same directory, that malicious library will be used instead.

Upon execution, this Trojan spawns and injects its code into svchost.exe, possibly to evade detection.

During our analysis, we have seen this Trojan take desktop screenshots every 10 seconds and saved them in a directory.

It also logged all active windows in a text file.

Apart from what was observed, this Trojan has been reported to have the following capabilities:

  • Communicate to several C&C servers
  • Collect history information of visited URLs from different browsers
  • Remote access/Backdoor functionalities: download, execute, create, delete and enumerate processes; administrative control over a target system
  • Log keystrokes

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: PlugX.BK (Trojan)

  • GAV: PlugX.BK_2 (Trojan)

  • GAV: PlugX.DLL (Trojan)

  • GAV: PlugX.KOR (Trojan)

Stagefright – One of the most threatening Android exploit ever discovered (July 30, 2015)

/in /by

A new security vulnerability in Android OS which is collectively being dubbed by the security world as the “worst Android vulnerability” discovered till date has surfaced leaving millions of Android devices susceptible. This vulnerability has been coined as Stagefright by the research team that unearthed it.

The potency of a vulnerability often stems from the ease with which it can break the security of a target system. Stagefright trumps this condition as the attack can be remotely executed successfully without any user intervention.

Most of the Android devices today have Google Hangouts set as the default messaging application. The vulnerability comes from the way in which Hangouts handles messages. If an MMS message containing a video is received by Hangouts it starts the initial processing and keeps the video ready in the gallery to be viewed along with a preview in the message notification, this is done even before the user opens the message. So if an attacker sends a MMS message having a video and the malware code, Hangouts starts processing the message but inadvertently ends up executing the bundled malicious code.

Complete details about the vulnerability have not been released yet but based on a number of security forums, certain fields of a video metadata can be used to perform buffer overflow thereby allowing the attacker to execute malicious code on the device. More details about this vulnerability will be made public by the research team along with proof-of-concept exploit code at the BlackHat Security conference on August 5.

Google has already acknowledged the vulnerability and patched it in quick time. Unfortunately only the Nexus line of Google devices receive patches directly from Google, devices from other brands have to rely on manufacturers and carriers for software updates. Until then it is recommended to disable the “Auto retrieve MMS” feature from messaging apps:

  • Hangouts: Select settings and choose SMS, then uncheck “Auto retrieve MMS”

  • Messaging: Select options from upper right corner to go in Settings, there uncheck “MMS auto download”

  • As a precaution it is recommended to disable functionality similar to “Auto Retrieve” from other messaging apps as well, for example Whatsapp:

Dell SonicWall Threats Research team will continue to monitor developments on this vulnerability and update our blogs accordingly.

Combat Cyber Espionage with New SonicWall TZ Wireless Firewalls

/0 Comments/in /by

How many times have you heard the phrase, “Your data is your most valuable possession?” Pretty often I bet. And it’s true. The information your organization keeps is extremely important not only to you, but to your customers as well.

I was thinking about this the other day while watching a scene from the movie “The Incredibles” where the superhero mom tells her daughter, “Your identity is your most valuable possession. Protect it.” That’s good advice, whether it’s data, records or even the identity of your employees or your customers. Protecting the things that are valuable to your organization from the seemingly relentless onslaught of theft is critical in today’s world.

Every day we are all potential victims of cyber-espionage. It doesn’t matter what size your organization is. Sure, the bigger the victim the larger the headline. To safeguard our customers against attack, today SonicWall has announced the new SonicWall TZ Wireless firewall series which combines enterprise-grade security, deep packet inspection of SSL-encrypted traffic and integrated high-speed 802.11ac wireless for small and medium-sized businesses and distributed enterprises.

Back in April we announced our new lineup of secure, high-performance SonicWall TZ series firewalls that help both small and medium-sized businesses (SMBs) and large distributed enterprises protect their most valuable assets. The TZ series allows SoincWall to offer market-leading security solutions to its customers at a price that fits under even the tightest budgets. With these new firewalls, small organizations can afford the same security effectiveness as large enterprises.

One of our premier partners, Western NRG, has already experienced the incredible benefits of the new TZ wireless firewalls.

“Since I upgraded my remote office from a TZ 105 Wireless to the new TZ500 Wireless I have noticed a substantial increase in my Internet speeds! I am truly taking advantage of the 100Mb download offering from my ISP. In addition, I have also added the new SonicPoint ACi to the network. The boys at NRG configured the TZ500 Wireless and the SonicPoint ACi to use the 5GHz radio and a single SSID which allows me to connect anywhere in the multi-story 3400 square foot facility and have seamless wireless access to networking resources now with amazing speeds!” said Tim Martinez, president of Western NRG, Inc.

The TZ Wireless series takes security and performance another giant step forward with built-in secure WiFi connectivity. And not just any WiFi. With these new firewalls, our customers can have the same level of protection and performance on their wireless networks as they do on their wired networks.

If you’re familiar with the benefits of 802.11ac, good for you. If you’re not, there are plenty of articles you can read on the subject. Even better, check out Scott Grebe’s blog titled “Three Reasons to Make the Jump to 802.11ac.”If you don’t have the time, here is the abbreviated version.

  • 802.11ac is really fast. It’s about 3x faster than its predecessor 802.11n. Faster speed means greater employee productivity and a better user experience.
  • 802.11ac enhances the quality of the wireless signal. Ever have a poor WiFi or cellular connection? How did that make you feel?
  • 802.11ac plays well with earlier wireless standards. In other words, it’s backward compatible with WiFi devices that use the 802.11n, b, g or a standards like your mobile phone, tablet and laptop so you can continue to use them to connect to the wireless network if you want.

The integration of high-speed wireless into our TZ series firewalls is good news for SonicWall customers. It enables us to offer them a complete security solution for wired and wireless networks of all sizes. SMBs love the highly integrated nature of the TZ series along with the simplified setup and management. Configuration of the LAN and wireless LAN and accompanying security is all done through the appliance’s GUI. So is the management. Distributed enterprises also enjoy these same benefits, however many take things a step further by adding our award-winning Global Management System (GMS) to enable centralized management and reporting of multiple TZ series firewalls deployed in different locations.

With the introduction of our new TZ Wireless series we have our strongest lineup ever of wired and wireless firewall solutions for SMBs and distributed enterprises. Whether it’s our customers’ data, their records or even their superhero identities, we’re able to protect it like no one else. If you want to learn more about the TZ series including our new wireless models featuring 802.11ac, check out the TZ series page on our website.

Five Essentials for Best of Breed Next Gen Firewalls

/0 Comments/in /by

Beyond basic network firewall testing scenarios, the specialized firewall testing tools needed to accurately assess next-generation firewall (NGFW) security effective remain out of reach to any but the largest IT department budgets. Therefore, most organizations look to independent hands-on test results from respected research laboratories such as NSS Labs. NSS Labs uses a very specific testing methodology that is run on each of the NGFWs being tested. Their Next-Generation Firewall Product Analysis Report provides detailed information on how a specific firewall scored when tested in these key essential areas:

  • Security Effectiveness
  • Performance
  • Stability and Reliability
  • Management and Configuration
  • Total Cost of Ownership

Security Effectiveness

Security effectiveness verifies that the firewall being tested is capable of enforcing the security policy effectively. Security effectiveness tests include:

Firewall Policy enforcement

Incremental tests that build configuration from simple to complex real world policy consisting of many addresses, policies, applications, inspection engines, protection from DoS attacks, IP spoofing.

Application Control

Firewall is tested to see if it can correctly determine application regardless of ports/protocols used and enforce appropriate application policy granularity.

User/Group ID aware policies

Correctly determine user/group from deep packet inspection and enforce policy with user awareness.

Intrusion Prevention

Correctly block malicious traffic “out of the box” using the default policy (for this test no IPS tuning is allowed).
EvasionDecode/Block basic obfuscated exploits and provide accurate alert based on the actual attack not be fooled by the evasion technique itself.

How did SonicWall next-generation firewalls do? Passed all criteria. Noteworthy SonicWall results included a 97.9 percent exploit block rate. No NGFW tested achieved 100 percent exploit block rate due to constantly changing NSS Labs test suite. However, over the last three years SonicWall has consistently been rated in the leaders quadrant and has demonstrated consistent improved block rate year over year.

Performance

Measures how well a given NGFW performs when subjected to various traffic conditions. No two networks will have the exact same characteristics but this test does provide metrics to gauge if a given NGFW is appropriate in a given environment.

Raw Packet Processing Performance (UDP packets of various sizes are tested)Measures raw packet processing capability of each of the NGFWs in-line port pairs, packet forwarding rate is measured for highest performance /lowest latency.
Latency (packet loss/average latency)Determine the effect the NGFW has on traffic passing through it under various loads. Traffic passes through all port pairs simultaneously.
Maximum Capacity ( generates TCP session based connections and HTTP transactions)Stress the inspection engine with Multi-Gigabit “Real World” traffic generated to determine expected user response times, max connections per second, concurrent open connections, application transaction per second on a backdrop of a heavily utilized network.
HTTP Capacity ““ No Transaction Delay (uses HTTP GET request)How much HTTP traffic can be passed of varying packet sizes and various connection per second loads.
Application average response time ““ HTTP (across all in-line port pairs simultaneously)Measures average HTTP latency using various packet sizes at 90 percent of max load.
HTTP Capacity with Transaction DelaySame as above except introduces 5 second server response delay, forces a high number of open connections.
Real World Traffic (generates protocol mix usually seen by industry verticals, i.e. Financial, education, Data Center, Mobile Carrier, etc”¦ )Same as previous test, excepts adds additional protocols and real content.

Stability and Reliability

These tests measure how well a next-generation firewall passes legitimate traffic while under attack. To pass, the NGFW must be able to block and alert on 100 percent of the attacks previously blocked while remaining operational.

Blocking under Extended AttackMeasures consistency of Blocking. Sends continuous policy violations at 100Mbps over 8 hours.
Passing Legitimate Traffic Under Extended AttackSame as previous test except legitimate traffic is sent in addition. NGFW must pass all legitimate traffic.
Behavior of State Engine Under Load (Can the NGFW preserve state across large number of connections over extended time. Must not exhaust resources allocated to state tables or “˜leak’ connections through after theoretical max concurrent connection is reached.
Protocol Fuzzing and MutationSends random, unexpected, or invalid data to the NGFW, verifies NGFW remains operational and detects/blocks exploit throughout the test.
Power FailPower is turned off while passing traffic, NGFW should fail closed after power is cut.
Persistence of DataMeasures if NGFW retains policy, configuration, log data when restored from power failure.

Total Cost of Ownership and Value

Measures overall costs over of deployment, maintenance and upkeep over the useful life of the product.

Product PurchaseCost of acquisition
Product MaintenanceFees paid to vendor (hardware maintenance, subscription services, etc”¦)
InstallationTime required to make the NGFW operational out of the box.
UpkeepTime required to apply vendor supplied firmware, updates, patches.

New GamaPoS malware targets US companies

/in /by

The Dell Sonicwall Threats Research team observed reports of a New POS family named GAV: GamaPOS.ABC. The POS Malware contains features such as memory scrapping functions like popular Point-of-Sale Trojan BlackPOS but this time the Malware spreading across United States through malicious emails that contain attachments such as macro-based malware Andromeda in the wild.

The POS Malware uses valid certificates to sign the malicious components to avoid detection by AVs.

Infection Cycle:

Md5s:

  • Detected as GAV: GAMAPOS.ABC (Trojan)

    • o dc035e61535d5db2ad08d6853c7759a3

    • o 6cabaef20e08803e2e9cd380aae00bc6

    • o 685f2a756a001598ec697911c2ee11cd

    • o 1c7baed4c317e610ea991751e5d9758d

    • o 575040751b4755ecf5c9394b76b5c41c

  • Detected as GAV: GAMAPOS.ABD (Trojan)

    • o 99fd9f118eaa969976f2defb61e4582e

The Malware adds the following files to the system:

  • %Userprofile%All Usersjane.exe [ Execrable dropper ]
  • %Userprofile%All Users _temp.dat [Key logger Log ]

The Malware adds the following key to the Windows registry to ensure persistence upon reboot:

The Malware uses multi component tools to grabbing information from the infected machine and uses legitimate code-signing certificates to avoid detection by AV Vendors.

GamaPOS retrieves a list of running processes; the malware is responsible for scraping the memory of current processes on the infected machine for credit card information periodically.

The malware installs key logger on the target machine and saves information to the _temp.dat file.

Here is an example:

Command and Control (C&C) Traffic

GamaPOS performs C&C communication over 1080 port. The malware sends your system information to its own C&C server via following format, here are some examples:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: GamaPos.ABC [(Trojan)]]
  • GAV: GamaPos.ABD [(Trojan)]]

How Next Gen Firewalls are Increasing Your Business Profitability

/0 Comments/in /by

Shrinking or flat IT security budgets and personnel; this is what many organizations of any size are facing daily. However, the security threats and compliance requirements continue to grow and become even more complex.

In response, many companies have implemented single security solutions on a reactive basis. For example, they might have started with a traditional firewall to protect their network, then implemented a web content filtering gateway and then added a dedicated intrusion prevention system (IPS/IDS) solution. Nevertheless, each of these solutions can come at a high cost and requires a single specialist to administer and manage; the overall total cost of ownership (TCO) goes through the roof! And these pain point solutions can leave gaping holes between them, exposing the business to potential security breaches and compliance violations, instead of helping mitigate the risks: this can’t be!

The advent of faster hardware and cores has allowed for the consolidation of once stand alone security solutions into a single appliance – Next Generation Firewalls (NGFWs). They provide dramatic improvements in protection versus traditional firewalls, particularly in dealing with today’s more sophisticated and rapidly changing threat landscape. They allow organizations of all size to do more with less and therefore save money!

In the UK, BskyB’s mobile Wi-Fi service, The Cloud, needed to upgrade the content filtering it provided, as it was becoming increasingly difficult to scale the service, and the performance was at risk. The Cloud selected SonicWall NGFW (SuperMassive 9000 series) with its content filtering service, which reduced upgrade work by 75 percent and ensured cost-effective WiFi service performance, delivering twice the capability at a quarter of the cost. Going forward, The Cloud can also use the additional NGFW security capabilities at no additional costs, and benefit from a more straightforward CapEx forecasting.

In Spain, Benetton looked to enhance store operation and productivity across the country by gaining better control of network connections between its stores and its head office. Efficiency is at the forefront of the company’s goals to deliver enhanced customer services at a lower cost.

The company chose SonicWall NGFW to connect and protect its stores and achieve its business goals. By replacing a traditional firewall with a NGFW technology, Benetton Spain ensures the complete protection of their network, while spending 39 percent less compared to their legacy solution; this is very critical to them, as they are able to fund new IT projects from the savings. Another key benefit of implementing a NGFW is in-store personnel productivity, thanks to the content filtering service and application firewall functionality; now shop assistants can access the Benetton Spain website and other sites that helps them deliver a better service to customers. At the same time, users from the marketing department have access to a full range of sites, including social media, which they need for their job, while protecting the network from potential cyber attacks. Also, as a retailer, Benetton Spain has to comply with numerous safeguards like PCI DSS to protect consumer data and credit card details. Because SonicWall NGFW provides IPsec VPN and a gateway AV service, Benetton Spain can tick the PCI DSS compliance box.

As these two particular examples demonstrate, the financial benefits of the NGFW technology are real and very much tangible, from improving employees’ productivity, to better customer service, operational cost savings and allocating budget to other IT projects, and meeting compliance requirements.

The threat landscape is changing rapidly with new types of malware, cybercriminals have become increasingly sophisticated and coordinated in their attacks. They are out to exploit every vulnerability, and if your organization is not taking advantage of the advanced protection offered by NGFWs, then you are at increased risk of a successful attack. Deploying a NGFW will provide the network protection you need, but will also help you to improve efficiency and save up some money you can re-invest into your business!

download report

The Future Looks Bright for Mobile Worker Productivity

/0 Comments/in /by

Managing and securing mobile data is about to get a whole lot easier. Mobile platform providers, historically focused on the consumer, are now investing heavily in new OS features that will seamlessly integrate with mobile management and security solutions and allow businesses to more easily enable mobile access to more data and resources without compromising security.

Historically, IT departments protected corporate networks and data by only allowing trusted devices and users to connect to the network. IT could limit the threat of data loss and malware by controlling and managing PC and laptop and software images and configurations. In the new mobile era, IT has limited control or management over devices. Workers are often independently choosing their smart-phones and tablets as well as the apps and services they use to address business and personal needs.

So, with limited mobile device control and management, how can IT keep company data secure while enabling mobile worker productivity?

The leading mobile platform providers recognize the challenge businesses face and are adding new features to make it easier to secure and manage business apps and data on devices, whether corporate or personally owned. And they’re partnering with third party mobile management and security providers to help give IT control to secure and manage the mobile data workflow. Key mobile platform features enabling mobile for business include:

1. Managed separation of business and personal apps and data

Mobile OS’s are architected to allow data to be easily shared by apps. While this ease-of-use and transparent interaction and sharing between apps is beneficial for personal use, it can be problematic for businesses that want to protect data. For example, many social apps mine contact lists from other apps and invite contacts to join their service. With this, confidential customer contact information stored in a business app could unintentionally be “shared” to a personal social app, leaking customer contact information and potentially damaging a business’s reputation or violating regulatory rules. Another risk, if a rogue app is downloaded to a device, mobile malware or vulnerabilities may be present that can steal data or provide an entry point for a cyber-attack.

To address these issues, the new generation of mobile operating systems is adding features that, with third party mobile management tools, will help better secure business apps and data on mobile devices. IT, with mobile user permission, will be able to more easily deploy and manage trusted mobile apps for business and enforce security policy to protect company data, while personal apps and data will be isolated from business apps, preventing data leakage. To meet mobile user demands for personal app and data privacy, IT will be restricted to only manage business apps and data. With these new built-in OS features, today’s proprietary secure containers that isolate and secure business apps and data on mobile devices, will be less necessary, helping to reduce IT cost and complexity.

2. Managed apps

To further support mobile for business, mobile platform providers are making it easier for app developers to build “managed apps”, apps that can be configured and managed by mobile management tools. For these apps, IT will be able to use third party mobile management tools to configure app level policies that affect the actions an app may take. For example, a managed email app implemented with the new mobile management control protocol could be remotely configured to only allow email and attachments to be viewed from the email app, and disallow copy, cut and print functionality to keep business data secure and encrypted within the app and not allow sharing with other apps.

3. App level VPN

Businesses today often deploy VPNs to securely connect mobile and remote workers with company networks and resources, a necessity to encrypt data in-flight and protect from data theft. However, when a device is used for business and personal use, if the VPN is enabled, personal traffic also uses the corporate VPN which can impact network bandwidth and contaminate backend resources. Ideally, to preserve corporate network bandwidth, only business apps and data should use the corporate VPN.

To address this need, mobile OS, security and management technologies are evolving to allow per app VPN capabilities. With per app VPN, security and management technology may be configured with policies to initiate a VPN whenever a business app launches such that business traffic from the mobile device travels through the VPN while personal traffic does not.

So, with these new mobile management and security capabilities, what should businesses do to accelerate mobile adoption and productivity?

Get ready for the next wave of mobile technology. For information on the management and security solutions you need to help enable mobile workers productivity while protecting from threats, read our eBook, Secure Mobile Access.

download ebook

Microsoft Font Driver OOB RCE Vulnerability (July 20, 2015)

/in /by

Microsoft has released an out-of-band security advisory on July 20, 2015 to address a critical remote-code-execution vulnerability. It has been referred as MS15-078. It replaced the advisory MS15-077 released last week during the July 2015 Microsoft Patch Day.

This vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts. An attacker who successfully exploited this vulnerability could take complete control of the affected system. It affects all versions of Windows.

The affected users are suggested to install the update immediately, or apply the workarounds from the advisory. Dell SonicWALL released the SPY signature at the same day to protect their customers:

  • SPY:1927 “Malformed-File otf.MP.11”

The vulnerability is referred by CVE as CVE-2015-2426

Magic Malware targets UK businesses. (July 17th, 2015)

/in /by

The Dell Sonicwall Threats Research team has received reports of a Trojan known to the anti-malware community as “Magic Malware”. The Trojan was originally targeted to businesses in the UK and can be used as an espionage tool or a general information stealer. It uses a custom protocol that uses encryption to communicate with C&C servers. Although the sample analysed here appears unfinished, it’s code indicates that it is currently under development and will be later used on a much larger scale.

Infection Cycle:

The Trojan adds the following files to the filesystem:

  • %SYSTEM32%WwYNcyv.exe (copy of original) [Detected as GAV: Qudamah.G_10 (Trojan)]
  • %SYSTEM32%configsystemprofileLocal SettingsTemporary Internet FilesContent.IE5TUFFEEJDCAK1E7S9.html (encrypted file)

The Trojan adds the following registry key to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun WwYNcyv “%SYSTEM32%WwYNcyv.exe”

In order to remain stealthy, the Trojan injects itself into svchost.exe from which further activities are launched.

The injected code sends a list of running processes to a remote C&C server:

The server returns encrypted data. We were able to locate the decryption routine in the injected executable:

Decryption uncovers an executable file [Detected as GAV: Qudamah.G_10 (Trojan)]:

The Trojan periodically sends out the following data to the C&C server:

The Trojan code appears unfinished but gives clues to possible future functionality. As well as stealing system information and running arbitrary executables, it indicates the ability to inject code into browser sessions, set up a back door and add users to the system making it possible to gain access to the system over RDP.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Qudamah.G_10 (Trojan)

Microsoft Security Bulletin Coverage (July 14, 2015)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of July, 2015. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

MS15-058 Vulnerabilities in SQL Server Could Allow Remote Code Execution

  • CVE-2015-1761 SQL Server Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-1762 SQL Server Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-1763 SQL Server Remote Code Execution Vulnerability
    There are no known exploits in the wild.

MS15-065 Security Update for Internet Explorer

  • CVE-2015-1729 Internet Explorer Information Disclosure Vulnerability
    IPS: 5962 “Internet Explorer Cross-domain Information Disclosure (MS14-065) 2”
  • CVE-2015-1733 Internet Explorer Memory Corruption Vulnerability
    IPS: 11026 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 10”
  • CVE-2015-1738 Internet Explorer Memory Corruption Vulnerability
    IPS: 11027 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 11”
  • CVE-2015-1767 Internet Explorer Memory Corruption Vulnerability
    IPS: 11028 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 12”
  • CVE-2015-2372 VBScript Memory Corruption Vulnerability
    IPS: 11029 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 13”
  • CVE-2015-2383 Internet Explorer Memory Corruption Vulnerability
    IPS: 11030 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 14”
  • CVE-2015-2384 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2385 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2388 Internet Explorer Memory Corruption Vulnerability
    IPS: 11031 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 15”
  • CVE-2015-2389 Internet Explorer Memory Corruption Vulnerability
    IPS: 11032 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 16”
  • CVE-2015-2390 Internet Explorer Memory Corruption Vulnerability
    IPS: 11033 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 17”
  • CVE-2015-2391 Internet Explorer Memory Corruption Vulnerability
    IPS: 11034 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 18”
  • CVE-2015-2397 Internet Explorer Memory Corruption Vulnerability
    IPS: 7638 “DOM Object Use-After-Free Attack 2”
  • CVE-2015-2398 Internet Explorer XSS Filter Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2401 Internet Explorer Memory Corruption Vulnerability
    IPS: 11036 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 20”
  • CVE-2015-2402 Internet Explorer Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2403 Internet Explorer Memory Corruption Vulnerability
    IPS: 2175 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 1”
  • CVE-2015-2404 Internet Explorer Memory Corruption Vulnerability
    IPS: 2190 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 2”
  • CVE-2015-2406 Internet Explorer Memory Corruption Vulnerability
    IPS: 2191 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 3”
  • CVE-2015-2408 Internet Explorer Memory Corruption Vulnerability
    IPS: 2192 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 4”
  • CVE-2015-2410 Internet Explorer Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2411 Internet Explorer Memory Corruption Vulnerability
    IPS: 2198 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 5”
  • CVE-2015-2412 Internet Explorer Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2413 Internet Explorer Information Disclosure Vulnerability
    IPS: 2207 “Internet Explorer Information Disclosure Vulnerability (MS15-065) 1”
  • CVE-2015-2414 Internet Explorer Information Disclosure Vulnerability
    IPS: 2208 “Internet Explorer Information Disclosure Vulnerability (MS15-065) 2”
  • CVE-2015-2419 Jscript9 Memory Corruption Vulnerability
    IPS: 2209 “Internet Explorer JScript9 Memory Corruption Vulnerability (MS15-065)”
  • CVE-2015-2421 Internet Explorer ASLR Bypass
    IPS: 2210 “Internet Explorer ASLR Bypass Vulnerability (MS15-065)”
  • CVE-2015-2422 Internet Explorer Memory Corruption Vulnerability
    IPS: 2233 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 6”
  • CVE-2015-2425 Internet Explorer Memory Corruption Vulnerability
    IPS: 2234 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 7”
  • CVE-2015-2372 VBScript Memory Corruption Vulnerability
    IPS: 11029 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 13”
  • CVE-2015-2398 Internet Explorer XSS Filter Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2402 Internet Explorer Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2419 Jscript9 Memory Corruption Vulnerability
    IPS: 2209 “Internet Explorer JScript9 Memory Corruption Vulnerability (MS15-065)”
  • CVE-2015-2421 Internet Explorer ASLR Bypass
    IPS: 2210 “Internet Explorer ASLR Bypass Vulnerability (MS15-065)”

MS15-066 Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution

  • CVE-2015-2372 VBScript Memory Corruption Vulnerability
    There are no known exploits in the wild.

MS15-067 Vulnerability in RDP Could Allow Remote Code Execution

  • CVE-2015-2373 Remote Desktop Protocol (RDP) Remote Code Execution Vulnerability
    There are no known exploits in the wild.

MS15-068 Vulnerabilities in Windows Hyper-V Could Allow Remote Code Execution

  • CVE-2015-2361 Hyper-V Buffer Overflow Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2362 Hyper-V System Data Structure Vulnerability
    There are no known exploits in the wild.

MS15-069 Vulnerabilities in Windows Could Allow Remote Code Execution

  • CVE-2015-2368 Windows DLL Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2369 DLL Planting Remote Code Execution Vulnerability
    There are no known exploits in the wild.

MS15-070 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution

  • CVE-2015-2376 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2377 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2378 Microsoft Excel DLL Remote Code Execution Vulnerability
    IPS:5726 “Binary Planting Attack 2”
  • CVE-2015-2379 Microsoft Office Memory Corruption Vulnerability
    SPY:3107 “Malformed-File doc.MP.24”
  • CVE-2015-2380 Microsoft Office Memory Corruption Vulnerability
    SPY:3106 “Malformed-File doc.MP.23”
  • CVE-2015-2415 Microsoft Office Memory Corruption Vulnerability
    GAV:37640 “Olemal.A”
  • CVE-2015-2424 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.

MS15-071 Vulnerability in Netlogon Could Allow Elevation of Privilege

  • CVE-2015-2374 Elevation of Privilege Vulnerability in Netlogon
    There are no known exploits in the wild.

MS15-072 Vulnerability in Windows Graphics Component Could Allow Elevation of Privilege

  • CVE-2015-2364 Graphics Component EOP Vulnerability
    SPY:3105 “Malformed-File swf.MP.234”

MS15-073 Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege

  • CVE-2015-2363 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2365 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2366 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2367 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2381 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2382 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.

MS15-074 Vulnerability in Windows Installer Service Could Allow Elevation of Privilege

  • CVE-2015-2371 Windows Installer EoP Vulnerability
    There are no known exploits in the wild.

MS15-075 Vulnerabilities in OLE Could Allow Elevation of Privilege

  • CVE-2015-2416 OLE Elevation of Privilege Vulnerability
    SPY:3105 “Malformed-File swf.MP.234”
  • CVE-2015-2417 OLE Elevation of Privilege Vulnerability
    SPY:3105 “Malformed-File swf.MP.234”

MS15-076 Vulnerability in Windows Remote Procedure Call Could Allow Elevation of Privilege

  • CVE-2015-2370 Windows RPC Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

MS15-076 Vulnerability in ATM Font Driver Could Allow Elevation of Privilege

  • CVE-2015-2387 ATMFD.DLL Memory Corruption Vulnerability
    GAV:20469 “Dropper.A_767”