Discovered by Andrea Allievi and Piotr Bania of Cisco Talos.
Talos, in conjunction with Microsoft’s security advisory issued on September 8th, is disclosing the discovery of a memory corruption vulnerability within the Microsoft Windows CDD Font Parsing Kernel Driver. This vulnerability was initially discovered by the Talos and reported in accordance with responsible disclosure policies to Microsoft. Please see Talos’s Microsoft Tuesday Blog for coverage information for this vulnerability. Read the full Talos Vulnerability Report via the talosintel.com portal here: TALOS-2015-0007
A specially crafted font file can cause the Microsoft Windows CDD Font Parsing Kernel driver to corrupt internal memory structures. The DrvTextOut routine acquires and locks the associated device and behaves differently based on the surface type. If the type is a bitmap and the Windows DWM is on, the driver will read and write directly to the video frame buffer and calls EngTextOut, then exits. However, the driver behaves in an unexpected manner where a new background rect is generated mixing the “OpaqueRect” rectangle located in the sixth parameter and the rectangle located in the “pStringTextObj” object.
If the ClipObject describes a NON-Trivial clip, even the “rclBounds” of the clip object is merged to the background rectangle. The Font Object is parsed, and finally the routine decides if it should clip the background rect or not.
The final decision is based on the following check:
Read More »
Tags: 0-day, security, Talos, vulnerability spotlight
Today an out of band advisory was released by Microsoft to address CVE-2015-2502. This vulnerability is addressed by MS15-093.
MS15-093 address a memory corruption vulnerability in Internet Explorer versions 7, 8, 9, 10, and 11. This affects all currently supported versions of Windows, including Windows 10.
This advisory is rated critical. An attacker can craft a web page designed to exploit this vulnerability and lure a user into visiting it. The compromise will result in remote code execution at the permission level of the affected user. The use of proper user access controls can limit the severity of the compromise.
As with most out of band releases, it has been reported that this attack is being exploited in the wild. Users should patch immediately.
Read More »
Tags: 0-day, internet explorer, Microsoft, patch, Talos
Update 2015-08-21: This post has been updated to reflect an additional advisory released on August 20.
Talos, in conjunction with Apple’s security advisories issued on August 13 and August 20, has released six advisories for vulnerabilities that Talos found in Apple Quicktime. In accordance with our Vendor Vulnerability Reporting and Disclosure policy, these vulnerabilities have been reported to Apple and CERT. This post serves as a summary for the advisories being released in coordination with Apple and CERT.
Ryan Pentney and Richard Johnson of Talos are credited with the discovery of these vulnerabilities.
Read More »
Tags: 0-day, Apple, Talos, Vulnerability Research
Talos is releasing an advisory for multiple vulnerabilities that have been found within the Total Commander FileInfo Plugin. These vulnerabilities are local denial of service flaws and have been assigned CVE-2015-2869. In accordance with our Vendor Vulnerability Reporting and Disclosure policy, these vulnerabilities have been disclosed to the plugin author(s) and CERT. This post serves as a summary of the advisory.
Credit for these discoveries belongs to Marcin Noga of Talos.
An attacker who controls the content of a COFF Archive Library (.lib) file can can cause an out of bounds read by specifying overly large values for the ‘Size’ field of the Archive Member Header or the “Number Of Symbols” field in the 1st Linker Member. The second half of the vulnerability concerns an attacker who controls the content of a Linear Executable file can cause an out of bounds read by specifying overly large values for the “Resource Table Count” field of the LE Header or the “Object” field at offset 0x8 from a “Resource Table Entry”. An attacker who successfully exploits this vulnerability can cause the Total Commander application to unexpectedly terminate.
These vulnerabilities has been tested against FileInfo 2.21 and FileInfo 2.22.
Finding and disclosing zero-day vulnerabilities responsibly helps improve the overall security of the devices and software people use on a day-to-day basis. Talos is committed to this effort via developing programmatic ways to identify problems or flaws that could be otherwise exploited by malicious attackers. These developments help secure the platforms and software customers use and also help provide insight into how Cisco can improve its own processes to develop better products.
For further zero day or vulnerability reports and information visit:
Tags: 0-day, Talos, Total Commander, Vulnerability Research
This post was authored by Rich Johnson, William Largent, and Ryan Pentney. Earl Carter contributed to this post.
Cisco Talos, in conjunction with Apple’s security advisory issued on June 30th, is disclosing the discovery of a remote code execution vulnerability within Apple Quicktime. This vulnerability was initially discovered by the Talos Vulnerability Research & Development Team and reported in accordance with responsible disclosure policies to Apple.
There is a remote code execution vulnerability in Apple Quicktime (TALOS-2015-0018/CVE-2015-3667). An attacker who can control the data inside an stbl atom in a .MOV file can cause an undersized allocation which can lead to an out-of-bounds read. An attacker can use this to create a use-after-free scenario that could lead to remote code execution.
There is a function within QuickTime (QuickTimeMPEG4!0x147f0) which is responsible for processing the data in an hdlr atom. There is a 16-byte memory region, allocated near the beginning of the function, if the hdlr subtype field in an mdia atom is set to ‘vide’, this reference is passed to a set of two functions.
Read More »
Tags: 0-day, Apple, research, security, stbl, Talos, vulnerability, vulnerability spotlight