Vulnerability info not updated in 4 months

NikK
NikK Posts: 903 Forum Champion

The Vulnerability protection at F-Secure Labs hasn't been updated since November 2013?!

http://www.f-secure.com/en/web/labs_global/vulnerability/0-day

http://www.f-secure.com/en/web/labs_global/vulnerability/monthly-updates

 

I was trying to find out if F-Secure can detect and block the latest MS 0-day from last week: CVE-2014-1761 but it seems impossible!

 

As a comparison of how it should look like, see Sophos Vulnerability report:

http://www.sophos.com/en-us/threat-center/threat-analyses/vulnerabilities.aspx

Comments

  • Hi NikK,

     

    I checked with the Labs about the updates and they informed me that it should be updated in the next few days. I apologize for any inconvenience caused.

    Regarding the vulnerability, Microsoft has shared some details about the sample here (http://blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx), but unfortunately this is not enough to create a detection. This exploit has been used in a targeted attack so we are still needing samples.

     

    However, based on the information that has been shared about this exploit, it is highly likely that Deepguard5 is able to prevent the infection. Our recommendations for the meantime is to disable RTF content according to the Microsoft article https://support.microsoft.com/kb/2953095

     

    Hope this helps.

  • NikK
    NikK Posts: 903 Forum Champion

    Thanks for the info!

     

    Sophos products detect booby-trapped files as: Exp/20141761-A so maybe you can check with them if they perhaps know more.

     

    The CVE was reported as early as January but MS announced it only last week Smiley Sad

  • Ukko
    Ukko Posts: 3,770 Superuser

    Hello,

     

    Very interesting about any answers by F-Secure team...

     

    but just because it's without any information yet......

     

    Some of my dreams:

     

    Probably it's not just experience one of company..... information about current sample created just yesterday (?!).

     

    Anyway that sample, how I can to understand, also detected by F-Secure. And.... today with addition like "Exploit.CVE-2014-1761.A" like "certainly" signature for current sample;

     

    And it's, of course, have a lot of more exploits (more old, than three monthes maybe) - which detected by various generic descriptions. But.... targeted attack - it's best "stealth"-steps for any generic-descriptions too.

     

     

    Also just like information - it's can be just about four or five known samples..... and probably already have generic-description for that exploit.... but I not sure... that it's anyway can to help in all situations.

  • Hi Nikk and Ukko,

     

    F-Secure has the detection for the exploit now as below:

    Aquarius: Exploit.CVE-2014-1761.A
    Hydra: Exploit:W32/CVE-2014-1761.A

    Hydra 2014-04-04_02 and Aquarius 2014-04-03_03 contains the detection for the exploit. At the same time, our DeepGuard5 was able to block this exploit even before the databases above has been released. For more information, please visit our Weblog: http://www.f-secure.com/weblog/archives/00002691.html

     

    Please do let us know if you need more information.

    Thanks.

  • Please find the detailed information given here:

     

    http://www.f-secure.com/en/web/labs_global/vulnerability/cve-2014-1761

     

    Thanks.

This discussion has been closed.
Feedback on New Design