Vulnerability info not updated in 4 months

NikK

The Vulnerability protection at F-Secure Labs hasn't been updated since November 2013?!

http://www.f-secure.com/en/web/labs_global/vulnerability/0-day

http://www.f-secure.com/en/web/labs_global/vulnerability/monthly-updates

 

I was trying to find out if F-Secure can detect and block the latest MS 0-day from last week: CVE-2014-1761 but it seems impossible!

 

As a comparison of how it should look like, see Sophos Vulnerability report:

http://www.sophos.com/en-us/threat-center/threat-analyses/vulnerabilities.aspx

[Deleted User]

Hi NikK,

 

I checked with the Labs about the updates and they informed me that it should be updated in the next few days. I apologize for any inconvenience caused.

Regarding the vulnerability, Microsoft has shared some details about the sample here (http://blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx), but unfortunately this is not enough to create a detection. This exploit has been used in a targeted attack so we are still needing samples.

 

However, based on the information that has been shared about this exploit, it is highly likely that Deepguard5 is able to prevent the infection. Our recommendations for the meantime is to disable RTF content according to the Microsoft article https://support.microsoft.com/kb/2953095

 

Hope this helps.

NikK

Thanks for the info!

 

Sophos products detect booby-trapped files as: Exp/20141761-A so maybe you can check with them if they perhaps know more.

 

The CVE was reported as early as January but MS announced it only last week

Ukko

Hello,

 

Very interesting about any answers by F-Secure team...

 

but just because it's without any information yet......

 

Some of my dreams:

 

Probably it's not just experience one of company..... information about current sample created just yesterday (?!).

 

Anyway that sample, how I can to understand, also detected by F-Secure. And.... today with addition like "Exploit.CVE-2014-1761.A" like "certainly" signature for current sample;

 

And it's, of course, have a lot of more exploits (more old, than three monthes maybe) - which detected by various generic descriptions. But.... targeted attack - it's best "stealth"-steps for any generic-descriptions too.

 

 

Also just like information - it's can be just about four or five known samples..... and probably already have generic-description for that exploit.... but I not sure... that it's anyway can to help in all situations.

[Deleted User]

Hi Nikk and Ukko,

 

F-Secure has the detection for the exploit now as below:

Aquarius: Exploit.CVE-2014-1761.A
Hydra: Exploit:W32/CVE-2014-1761.A

Hydra 2014-04-04_02 and Aquarius 2014-04-03_03 contains the detection for the exploit. At the same time, our DeepGuard5 was able to block this exploit even before the databases above has been released. For more information, please visit our Weblog: http://www.f-secure.com/weblog/archives/00002691.html

 

Please do let us know if you need more information.

Thanks.

[Deleted User]

Please find the detailed information given here:

 

http://www.f-secure.com/en/web/labs_global/vulnerability/cve-2014-1761

 

Thanks.