CVE-2015-6172 BadWinmail found exploited in the wild

Conclusion: It seem that AV vendors did a big mistake and blocked thousands of legit emails and by consequence also disclosed the content of certain of these emails on Internet, like DRP plan of banks…
All detected samples have now reduced they’re detection rate to only marginal anti-viruses. But clearly F-Secure and BitDefender were detecting and blocking thousands of emails during the last days. For the moment, we have no explanation from the anti-virus vendors.
I would like to thanks @_clem1, @Kafeine and @PhysicalDrive0 for they’re support in these clarifications.

 

On December 8th 2015, Microsoft released, during his regular Patch Tuesday, two updated security advisory, one new security advisory and twelve security bulletins. On the twelve security bulletins, MS15-131 concerned Microsoft Office and fixed 6 privately reported vulnerabilities.

One of the 6 vulnerabilities fixed in MS15-131, CVE-2015-6172 vulnerability raised particular attention of the security community. This vulnerability, named Outlook “letterbomb” or “BadWinMail“, would allow an attacker to sneak past Outlook’s security features. The vulnerability affects Office 2010 and later, as well as Microsoft Word 2007 with Service Pack 3.

This vulnerability has been discovered and privately reported to Microsoft by Haifei Li of Intel Security IPS Research Team. The security researcher published a paper describing the vulnerability accompanied by a demonstration video.

Unfortunately it seem that this vulnerability is actually exploited and was exploited before the release of Microsoft security patch.

Two files “FW Joseph J. Durczynski.rtf” (957a8d9d6bf7a0e54ad7eb350c930232) and “FW Philip Services Corp. et al..rtf” (20e184a415cd71eee1cea83df262f814) were submitted to VirusTotal the 27 December and detected as exploit of CVE-2015-6172.

FW Philip Services Corp. et al..rtf” file seems to be related to PSC Industrial Services. PSC claim to be the leading provider of specialty maintenance services and technology solutions to the critical energy infrastructure in the United States.

FW Joseph J. Durczynski.rtf” file seems to be related to Systech Environmental Corp and to particularly a certain Joe Durczynski working for Systech Environmental Corp.

By doing additional researches I found a third sample “_WRF_0CE7DC0E-AB99-4196-8DC2-F818ABF7C29A_.tmp” (52c4096e99126851736715c34b1f50a5) submitted on malwr the 23 December. This sample was also submitted on VirusTotal the 23 December and also recognised as exploit of CVE-2015-6172.

One additional file “FW RFQ.rtf” (fab9cfbc629fb3c3eb541fdaf8169ee1), reported to me by @PhysicalDrive0, targeting PGM Corp. PGM is a full service precision manufacturing corporation specialising in precision CNC machining, turning, grinding and assembly.

7328bf73af839bfc05e5cae177d60ca06cddc52beeee51fb2268f9a8b98d24fa

Interesting informations are the strings in the static analysis of the 23th December malwr sample.

Subject of the email was “FW: Disaster Recovery – home binder” and this email is an internal mail exchange of Safe Credit Union organisation. Also the mail containing the malware was sent the Tuesday, 8th September 2015.

It seem to be quiet urgent to patch if you didn’t already did it, but that seem to be more and more sure is that CVE-2015-6172 was used in the wild before the release of the Microsoft December patch.

Additional samples are actually submitted:

Microsoft December 2015 Patch Tuesday Review

Microsoft has release, December 8th 2015, during his December 2015 Patch Tuesday, two updated security advisory, one new security advisory and twelve security bulletins. On the twelve security bulletins eight of them have a Critical security rating.

Microsoft Security Advisory 2755801

MSA-2755801,released during September 2012, has been updated. The security advisory is concerning updates for vulnerabilities in Adobe Flash Player in Internet Explorer 10, Internet Explorer 11 and Microsoft Edge. KB3119147 has been released for supported editions of for:

  • Internet Explorer 10 on Windows 8, Windows Server 2012, and Windows RT;
  • Internet Explorer 11 on Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, and Windows 10;
  • Microsoft Edge on Windows 10.

The update addresses the vulnerabilities described in Adobe Security bulletin APSB15-32.

Microsoft Security Advisory 3057154

MSA-3057154, release during July 2015, has been updated. The security advisory is concerning harden scenarios in which Data Encryption Standard (DES) encryption keys are used with accounts to ensure that domain users, services, and computers that support other encryption types are not vulnerable to credential theft or elevation of privilege attacks.  KB3057154 has been released for:

  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 R2 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Server 2003 R2 x64 Edition Service Pack 2
  • Windows Server 2003 with SP2 for Itanium-based Systems
  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for Itanium-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
  • Windows 8 for 32-bit Systems
  • Windows 8 for x64-based Systems
  • Windows 8.1 for 32-bit Systems
  • Windows 8.1 for x64-based Systems
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows RT
  • Windows RT 8.1
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012 R2 (Server Core installation)

Microsoft Security Advisory 3123040

MSA-3123040 concerns an SSL/TLS digital certificate for *.xboxlive.com for which the private keys were inadvertently disclosed. The certificate could be used in attempts to perform man-in-the-middle attacks. It cannot be used to issue other certificates, impersonate other domains, or sign code. This issue affects all supported releases of Microsoft Windows. KB2677070 has been release for:

  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for Itanium-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
  • Windows 8 for 32-bit Systems
  • Windows 8 for x64-based Systems
  • Windows 8.1 for 32-bit Systems
  • Windows 8.1 for x64-based Systems
  • Windows RT
  • Windows RT 8.1
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows 10
  • Windows 10 Version 1511
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems (Server Core installation)
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012 R2 (Server Core installation)
  • Windows Phone 8
  • Windows Phone 8.1
  • Windows 10 Mobile

MS15-124 Cumulative Security Update for Internet Explorer

MS15-124 security update, classified as Critical, allowing remote code execution, is the fix for 30 privately reported vulnerabilities in Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11. KB3116180 has been release for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-60839.3NoNoHui Gao of Palo Alto Networks
CVE-2015-61349.3NoNoSkyLined, working with HP’s Zero Day Initiative
CVE-2015-61355.0NoNoSimon Zuckerbraun, working with HP’s Zero Day Initiative
CVE-2015-61369.3NoNo- Simon Zuckerbraun, working with HP’s Zero Day Initiative
- An anonymous researcher, working with HP’s Zero Day Initiative
- Yuki Chen of Qihoo 360Vulcan Team
CVE-2015-61384.3NoNoNone
CVE-2015-61399.3NoNoMichal Bentkowski
CVE-2015-61409.3NoNoBo Qu of Palo Alto Networks
CVE-2015-61419.3NoNoB6BEB4D5E828CF0CCB47BB24AAC22515, working with HP’s Zero Day Initiative
CVE-2015-61429.3NoNoSimon Zuckerbraun, working with HP’s Zero Day Initiative
CVE-2015-61439.3NoNoNone
CVE-2015-61444.3NoNoMasato Kinugawa
CVE-2015-61459.3NoNoCong Zhang and Yi Jiang, working with Beijing VRV Software Co., LTD.
CVE-2015-61469.3NoNoBo Qu of Palo Alto Networks
CVE-2015-61479.3NoNoB6BEB4D5E828CF0CCB47BB24AAC22515, working with HP’s Zero Day Initiative
CVE-2015-61489.3NoNoA3F2160DCA1BDE70DA1D99ED267D5DC1EC336192, working with HP’s Zero Day Initiative
CVE-2015-61499.3NoNoB6BEB4D5E828CF0CCB47BB24AAC22515, working with HP’s Zero Day Initiative
CVE-2015-61509.3NoNoB6BEB4D5E828CF0CCB47BB24AAC22515, working with HP’s Zero Day Initiative
CVE-2015-61519.3NoNoLi Kemeng of Baidu Security Team(x-Team) , working with HP’s Zero Day Initiative
CVE-2015-61529.3NoNoMoritz Jodeit of Blue Frost Security
CVE-2015-61539.3NoNoShi Ji (@Puzzor)
CVE-2015-61549.3NoNoChenDong Li and YunZe Ni of Tencent
CVE-2015-61559.3NoNoZheng Huang of the Baidu Scloud XTeam, working with VeriSign iDefense Labs
CVE-2015-61569.3NoNoAnonymous contributor, working with VeriSign iDefense Labs
CVE-2015-61574.3NoNoZheng Huang of the Baidu Scloud XTeam, working with VeriSign iDefense Labs
CVE-2015-61589.3NoNoZheng Huang of the Baidu Scloud XTeam, working with VeriSign iDefense Labs
CVE-2015-61599.3NoNoZheng Huang of the Baidu Scloud XTeam
CVE-2015-61609.3NoNoGarage4Hackers, working with HP’s Zero Day Initiative
CVE-2015-61614.3NoNoRh0
CVE-2015-61629.3NoNoWenxiang Qian of TencentQQBrowser
CVE-2015-61646.8NoNoNone

MS15-125 Cumulative Security Update for Microsoft Edge

MS15-125 security update, classified as Critical, allowing remote code execution, is the fix for 15 privately reported vulnerabilities in Microsoft Edge on Windows 10. KB3116184 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61399.3NoNoMichal Bentkowski
CVE-2015-61409.3NoNoBo Qu of Palo Alto Networks
CVE-2015-61429.3NoNoSimon Zuckerbraun, working with HP’s Zero Day Initiative
CVE-2015-61489.3NoNoA3F2160DCA1BDE70DA1D99ED267D5DC1EC336192, working with HP’s Zero Day Initiative
CVE-2015-61519.3NoNoLi Kemeng of Baidu Security Team(x-Team) , working with HP’s Zero Day Initiative
CVE-2015-61539.3NoNoShi Ji (@Puzzor)
CVE-2015-61549.3NoNoChenDong Li and YunZe Ni of Tencent
CVE-2015-61559.3NoNoZheng Huang of the Baidu Scloud XTeam, working with VeriSign iDefense Labs
CVE-2015-61589.3NoNoZheng Huang of the Baidu Scloud XTeam, working with VeriSign iDefense Labs
CVE-2015-61599.3NoNoZheng Huang of the Baidu Scloud XTeam
CVE-2015-61614.3NoNoRh0
CVE-2015-61689.3NoNoSkyLined, working with HP’s Zero Day Initiative
CVE-2015-61694.3NoNoNone
CVE-2015-61706.8NoNoMario Heiderich of Cure53
CVE-2015-61764.3NoNoMasato Kinugawa

MS15-126 Cumulative Security Update for JScript and VBScript

MS15-126 security update, classified as Critical, allowing remote code execution, is the fix for 2 privately reported vulnerabilities in VBScript scripting engine in Microsoft Windows. KB3116178 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61355.0NoNoSimon Zuckerbraun, working with HP’s Zero Day Initiative
CVE-2015-61369.3NoNo- Simon Zuckerbraun, working with HP’s Zero Day Initiative
- An anonymous researcher, working with HP’s Zero Day Initiative
- Yuki Chen of Qihoo 360Vulcan Team

MS15-127 Security Update for Microsoft Windows DNS

MS15-127 security update, classified as Critical, allowing remote code execution, is the fix for 1 privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted requests to a DNS server. KB3100465 has been released for fixing the bellow vulnerability:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61259.3NoNoNone

MS15-128 Security Update for Microsoft Graphics Component

MS15-128 security update, classified as Critical, allowing remote code execution, is the fix for 3 privately reported vulnerabilities in Microsoft Windows, .NET Framework, Microsoft Office, Skype for Business, Microsoft Lync, and Silverlight. The vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a webpage that contains specially crafted embedded fonts. KB3104503 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61069.3NoNoSteven Vittitoe of Google Project Zero
CVE-2015-61079.3NoNoSteven Vittitoe of Google Project Zero
CVE-2015-61089.3NoNoNone

MS15-129 Security Update for Silverlight

MS15-129 security update, classified as Critical, allowing remote code execution, is the fix for 3 privately reported vulnerabilities in Microsoft Silverlight. KB3106614 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61144.3YesYesNone
CVE-2015-61654.3NoNoMarcin 'Icewall' Noga of Cisco Talos
CVE-2015-61669.3NoNoNone

CVE-2015-6114 vulnerability details have been disclosed publicly by @_Icewall from Cisco Talos vulndev team.

MS15-130 Security Update for Microsoft Uniscribe

MS15-130 security update, classified as Critical, allowing remote code execution, is the fix for 1 privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains specially crafted fonts. KB3108670 has been released for fixing the bellow vulnerability:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61309.3NoNoHossein Lotfi, Secunia Research (now part of Flexera Software)

MS15-131 Security Update for Microsoft Office

MS15-131 security update, classified as Critical, allowing remote code execution, is the fix for 6 privately reported vulnerabilities in Microsoft Windows. Interesting to see that CVE-2015-6124 has been privately reported but seen as exploited in wild. KB3116111 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-60409.3NoNoSteven Vittitoe of Google Project Zero
CVE-2015-61189.3NoNoKai Lu of Fortinet's FortiGuard Labs
CVE-2015-61229.3NoNoSteven Vittitoe of Google Project Zero
CVE-2015-61249.3NoYesNone
CVE-2015-61729.3NoNoHaifei Li of Intel Security IPS Research Team
CVE-2015-61779.3NoNoKai Lu of Fortinet's FortiGuard Labs

MS15-132 Security Update for Microsoft Windows

MS15-132 security update, classified as Important, allowing remote code execution, is the fix for 3 privately reported vulnerabilities in Microsoft Windows. KB3116162 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61287.2YesYes- Steven Vittitoe of Google Project Zero
- Parvez Anwar
CVE-2015-61327.2NoNoNone
CVE-2015-61337.2NoNoNone

CVE-2015-6128 vulnerability details have been disclosed publicly with a proof of concept.

MS15-133 Security Update for Windows PGM

MS15-133 security update, classified as Important, allowing elevation of privilege, is the fix for 1 privately reported vulnerability in Microsoft Windows. KB3116130 has been released for fixing the bellow vulnerability:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61267.2NoNoNone

MS15-134 Security Update for Windows Media Center

MS15-134 security update, classified as Important, allowing remote code execution, is the fix for 2 privately reported vulnerabilities in Microsoft Windows. KB3108669 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61274.3YesYesFrancisco Falcon of Core Security
CVE-2015-61319.3YesYesZhang YunHai of NSFOCUS Security Team

CVE-2015-6127 vulnerability details have been disclosed publicly with a proof of concept.

CVE-2015-6131 vulnerability details have been disclosed publicly with a proof of concept.

MS15-135 Security Update for Windows Kernel-Mode Drivers

MS15-135 security update, classified as Important, allowing elevation of privilege, is the fix for 4 privately reported vulnerabilities in Microsoft Windows. Interesting to see that CVE-2015-6175 has been publicly reported and also seen exploited in wild. KB3119075 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61717.2NoNoNils Sommer of bytegeist, working with Google Project Zero
CVE-2015-61737.2NoNoNils Sommer of bytegeist, working with Google Project Zero
CVE-2015-61747.2NoNoNils Sommer of bytegeist, working with Google Project Zero
CVE-2015-61757.2YesYesNone