FGCenter - Latest Threats, Advisories, Reports and News http://www.fortiguard.com/ en Copyright 2010 Fortinet Inc. All Rights Reserved Thu, 02 Sep 2010 14:50:01 -0800 Threat Landscape Report - August 2010 Edition

Table of Contents:


FortiGuard Labs

Exploits and Intrusion Prevention



Top 10 Attacks & Regions



The top 10 attack attempts detected for this period follow, ranked by the number of valid attack cases reported. Valid attack cases are defined as threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of the accumulated daily incidents reported during this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Critical issues are outlined in bold. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the attack's debut in the Top 100. Figure 1a shows a daily record of attack cases reported for this period's Top 5 attacks. Figure 1b below shows the Top 5 regions attacked in comparison to total attack cases reported this period.
RankVulnerabilityPercentageSeverityTop 100 Shift
1MS.Windows.Help.Center.Protocol.Malformed.Escape.Sequence30.4Critical+3
2MS.DCERPC.NETAPI32.Buffer.Overflow24.6Critical+1
3MS.IE.Userdata.Behavior.Code.Execution20.9Critical-1
4SMTP.Auth.Buffer.Overflow10.0Critical+1
5FTP.USER.Command.Overflow6.8High+3
6AWStats.Rawlog.Plugin.Logfile.Parameter.Input.Validation6.5High+3
7Apache.Expect.Header.XSS6.5Medium-1
8MS.Content.Management.Server.Code.Execution4.6Critical+4
9Sasfis.Botnet3.9High+2
10MS.Windows.LSASS.Buffer.Overflow2.6High+7



Figure 1a: Daily attack case activity for top 5 attacks

Figure 1b: Top 5 regions by number of attack cases


New Vulnerability Coverage



There were a total of 114 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 28 were reported to be actively exploited (24.6%).

Figure 1c breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

For more information, observe the detailed reports for this period at:

Figure 1c: New vulnerability coverage for this edition, categorized by severity

Malware Today



Top 10 Variants



Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

RankMalware VariantPercentageTop 100 Shift
1 http://www.fortiguard.com/reports/roundup_august_2010.html http://www.fortiguard.com/reports/roundup_august_2010.html Mon, 30 Aug 2010 00:00:00 -0800 Fortinet Discovers Multiple Adobe Shockwave Player Vulnerabilities Summary:

Fortinet's FortiGuard Labs has discovered three vulnerabilities in Adobe Shockwave Player, which can lead to remote code execution and denial of service.

Impact:

Remote code execution and denial of service.

Risk:

Critical

Affected Software:

For a list of affected software, please refer to the Adobe Security Bulletin reference below.

Additional Information:

Two memory corruption vulnerabilities were discovered, each of which is highlighted below:
  • Memory corruption in "DIRAPI.dll" (CVE-2010-2863)
  • Memory corruption in "IML32.dll" (CVE-2010-2864)
One denial of service vulnerability was discovered:
  • Denial of service in "DIRAPI.dll" (CVE-2010-2865)

The vulnerabilities are triggered when opening a malformed ".dir" file which contain an overly long length value in a certain field. For both CVE-2010-2863 and CVE-2010-2864, remote code execution is possible through memory corruption and integer overflow. For CVE-2010-2865, a denial of service occurs when Internet Explorer stops responding.

Solutions:
FortiGuard Labs released the following signature to protect against this vulnerability:
  • "Adobe.Shockwave.Player.Lrtx.Chunk.Code.Execution" (CVE-2010-2863)
  • "Adobe.Shockwave.Director.Lscm.Chunk.Code.Execution" (CVE-2010-2864)
  • "Adobe.Shockwave.Director.Lscm.Chunk.Code.DoS" (CVE-2010-2865)

References:

Acknowledgment:
  • Honggang Ren of Fortinet's FortiGuard Labs
]]> http://www.fortiguard.com/advisory/FGA-2010-41.html http://www.fortiguard.com/advisory/FGA-2010-41.html Thu, 26 Aug 2010 00:00:00 -0800 Adobe Security Bulletin for August 24, 2010
Adobe Vulnerability Identifier Adobe Bulletin DescriptionSeverityAffected SoftwareCVE ID
APSB10-20These vulnerabilities could allow an attacker to run malicious code on the affected system.CriticalShockwave Player CVE-2010-2863
CVE-2010-2864
CVE-2010-2865
CVE-2010-2866
CVE-2010-2867
CVE-2010-2868
CVE-2010-2869
CVE-2010-2870
CVE-2010-2871
CVE-2010-2872
CVE-2010-2873
CVE-2010-2874
CVE-2010-2875
CVE-2010-2876
CVE-2010-2877
CVE-2010-2878
CVE-2010-2879
CVE-2010-2880
CVE-2010-2881
CVE-2010-2882


Threat Remediation


Fortinet provides coverage on Adobe vulnerabilities since August 19,2010.

CVE NumberSignature Name
CVE-2010-2863Adobe.Shockwave.Player.Lrtx.Chunk.Code.Execution
[Previous Name: FG-VD-10-016-Adobe]
CVE-2010-2864Adobe.Shockwave.Director.Lscm.Chunk.Code.Execution
[Previous Name: FG-VD-10-017-Adobe]
CVE-2010-2865Adobe.Shockwave.Director.Lscm.Chunk.Code.DoS
[Previous Name: FG-VD-10-018-Adobe]
CVE-2010-2866Adobe.Shockwave.Director.tSAC.Chunk.Code.Execution
[Previous Name: Adobe.0day.24151]
CVE-2010-2867Adobe.Shockwave.Director.RcsL.Chunk.Pointer.Code.Execution
[Previous Name: Adobe.0day.24150]
CVE-2010-2868Adobe.Shockwave.Player.Dir.Media.File.Parsing.Memory.Corruption
[Previous Name: Adobe.0day.24155]
CVE-2010-2869Adobe.Shockwave.Player.Dir.Media.File.Parsing.Memory.Corruption
[Previous Name: Adobe.0day.24155]
CVE-2010-2870Adobe.Shockwave.Director.Mmap.Trusted.Chunk.Size.Code.Execution
[Previous Name: Adobe.0day.24153]
CVE-2010-2871Adobe.Shockwave.Director.Josh.Chunk.Code.Execution
[Previous Name: Adobe.0day.24158]
CVE-2010-2872Adobe.Shockwave.Player.IML32.Module.Memory.Corruption
[Previous Name: Adobe.0day.24160]
CVE-2010-2873Adobe.Shockwave.Player.DIRAPI.Module.Memory.Corruption
[Previous Name: Adobe.0day.24161]
CVE-2010-2874
Adobe Vulnerability Identifier Adobe Bulletin DescriptionSeverityAffected SoftwareCVE ID
APSB10-17Vulnerabilities that could cause the application to crash and could potentially allow an attacker to take control of the affected system.CriticalAdobe Reader, Adobe Acrobat CVE-2010-2862
CVE-2010-1240


Threat Remediation


Fortinet provides coverage on Adobe vulnerabilities since August 13, 2010.

CVE NumberSignature Name
CVE-2010-2862Adobe.Reader.Font.Parsing.Integer.Overflow
CVE-2010-1240PDF.With.Launch.Action

For more information on new and enhanced signatures, visit the IPS Service Update History. If you require more information, contact the FortiGuard Team using our Contact Us web page.


Document History


Revision DateVersion Number
Thursday, August 19 20101Initial Documentation.


Reference:
]]> http://www.fortiguard.com/advisory/FGA-2010-38.html http://www.fortiguard.com/advisory/FGA-2010-38.html Thu, 19 Aug 2010 00:00:00 -0800 Fortinet Discovers VideoLAN VLC ID3v2 Flags Denial Of Service Vulnerability Summary:

Fortinet's FortiGuard Labs has discovered a vulnerability in VideoLAN VLC, which allows a remote attacker to cause a denial of service through a malformed media file.

Impact:

Denial Of Service

Risk:

Medium

Affected Software:

VideoLAN VLC 1.0.x to 1.1.2, please see the reference below.

Additional Information:

The VLC player crashes upon loading a media file containing specifically crafted ID3v2 tags. According to Fortinet's FortiGuard Labs investigations, execution of arbitrary code is however not possible.

FortiGuard Labs continues to monitor this vulnerability world wide while developing additional mitigation strategies / solutions based off our findings.

Solutions:

  • FortiGuard Labs released the following signature which covers this specific vulnerability
    • "VideoLan.VLC.ID3v2.Flags.DoS" on August 19, 2010

Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this vulnerability. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

References:



Acknowledgment:

  • David Maciejak and Dylan Yin of Fortinet's FortiGuard Labs
]]> http://www.fortiguard.com/advisory/FGA-2010-39.html http://www.fortiguard.com/advisory/FGA-2010-39.html Thu, 19 Aug 2010 00:00:00 -0800 Adobe Security Bulletin for August 10, 2010
Adobe Vulnerability Identifier Adobe Bulletin DescriptionSeverityAffected SoftwareCVE ID
APSB10-16These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.CriticalAdobe Flash Player, Adobe AIR CVE-2010-0209
CVE-2010-2188
CVE-2010-2213
CVE-2010-2214
CVE-2010-2215
CVE-2010-2216


Threat Remediation


Fortinet provides coverage on Adobe vulnerabilities since June 11, 2010.

CVE NumberSignature Name
CVE-2010-2188Adobe.Flash.Player.LocalConnection.Memory.Corruption

For more information on new and enhanced signatures, visit the IPS Service Update History. If you require more information, contact the FortiGuard Team using our Contact Us web page.


Document History


Revision DateVersion Number
Tuesday, August 10 20101Initial Documentation.


Reference:
]]> http://www.fortiguard.com/advisory/FGA-2010-37.html http://www.fortiguard.com/advisory/FGA-2010-37.html Tue, 10 Aug 2010 00:00:00 -0800 Microsoft Security Bulletin for August 10, 2010
MS Bulletin Number Microsoft Bulletin TitleSeverityImpact of VulnerabilityAffected SoftwareCVE ID
MS10-046Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)CriticalRemote Code ExecutionMicrosoft Windows CVE-2010-2568
MS10-049Vulnerabilities in SChannel Could Allow Remote Code Execution (980436)CriticalRemote Code ExecutionMicrosoft Windows CVE-2010-2566
CVE-2009-3555
MS10-051Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2079403)CriticalRemote Code ExecutionMicrosoft Windows CVE-2010-2561
MS10-052Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (2115168)CriticalRemote Code ExecutionMicrosoft Windows CVE-2010-1882
MS10-053Cumulative Security Update for Internet Explorer (2183461)CriticalRemote Code ExecutionMicrosoft Windows, Internet Explorer CVE-2010-2557
CVE-2010-2560
CVE-2010-2556
CVE-2010-2558
CVE-2010-2559
CVE-2010-1258
MS10-054Vulnerabilities in SMB Server Could Allow Remote Code Execution (982214)CriticalRemote Code ExecutionMicrosoft Windows CVE-2010-2550
CVE-2010-2551
CVE-2010-2552
MS10-055Vulnerability in Cinepak Codec Could Allow Remote Code Execution (982665)CriticalRemote Code ExecutionMicrosoft Windows CVE-2010-2553
MS10-056Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (2269638)CriticalRemote Code ExecutionMicrosoft Office CVE-2010-1900
CVE-2010-1901
CVE-2010-1902
CVE-2010-1903
MS10-060Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution (2265906)CriticalRemote Code ExecutionMicrosoft Windows, Microsoft .NET Framework, Microsoft Silverlight CVE-2010-0019
CVE-2010-1898
MS10-047Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852)ImportantElevation of PrivilegeMicrosoft Windows CVE-2010-1888
CVE-2010-1889
MS10-048Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2160329)ImportantElevation of PrivilegeMicrosoft Windows CVE-2010-1894
CVE-2010-1895
CVE-2010-1896
CVE-2010-1897
MS10-050Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (981997)ImportantRemote Code ExecutionMicrosoft Windows CVE-2010-2564
http://www.fortiguard.com/advisory/FGA-2010-36.html http://www.fortiguard.com/advisory/FGA-2010-36.html Tue, 10 Aug 2010 00:00:00 -0800 Threat Landscape Report - July 2010 Edition

Table of Contents:


FortiGuard Labs

Exploits and Intrusion Prevention



Top 10 Attacks & Regions



The top 10 attack attempts detected for this period follow, ranked by the number of valid attack cases reported. Valid attack cases are defined as threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of the accumulated daily incidents reported during this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Critical issues are outlined in bold. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the attack's debut in the Top 100. Figure 1a shows a daily record of attack cases reported for this period's Top 5 attacks. Figure 1b below shows the Top 5 regions attacked in comparison to total attack cases reported this period.
RankVulnerabilityPercentageSeverityTop 100 Shift
1Java.Deployment.Toolkit.Launch.Method.Access28.9Critical-
2MS.IE.Userdata.Behavior.Code.Execution14.9Critical-
3MS.DCERPC.NETAPI32.Buffer.Overflow10.9Critical-
4MS.Windows.Help.Center.Protocol.Malformed.Escape.Sequence8.7Criticalnew
5SMTP.Auth.Buffer.Overflow4.6Critical+4
6Apache.Expect.Header.XSS3.5Medium-
7MS.IE.Deleted.DOM.Object.Access.Memory.Corruption3.2Critical+3
8FTP.USER.Command.Overflow3.2High-1
9AWStats.Rawlog.Plugin.Logfile.Parameter.Input.Validation3.1High-1
10MS.IE.Event.Invalid.Pointer.Memory.Corruption2.7Critical-4



Figure 1a: Daily attack case activity for top 5 attacks

Figure 1b: Top 5 regions by number of attack cases


New Vulnerability Coverage



There were a total of 91 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 31 were reported to be actively exploited (34.1%).

Figure 1c breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

For more information, observe the detailed reports for this period at:

Figure 1c: New vulnerability coverage for this edition, categorized by severity

Malware Today



Top 10 Variants



Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

http://www.fortiguard.com/reports/roundup_july_2010.htmlhttp://www.fortiguard.com/reports/roundup_july_2010.htmlThu, 29 Jul 2010 00:00:00 -0800 Fortinet Protects Against Microsoft Windows Shell Could Allow Remote Code Execution Vulnerability Summary:

Fortinet's FortiGuard Labs Protects Against a Vulnerability in Microsoft Windows Shell.

Impact:

Remote Code Execution

Risk:

Critical

Affected Software:

For a list of Microsoft Windows Shell versions affected, please see the references below.

Additional Information:

This vulnerability exists, when a user browse to a folder with specially crafted shortcut. It can also be exploited through removable drives.

FortiGuard Labs continues to monitor this vulnerability world wide while developing additional mitigation strategies / solutions based off our findings.

Solutions:

  • FortiGuard Labs released the following signature which covers this specific vulnerability
    • "MS.Windows.Shell.LNK.Code.Execution" on July 21, 2010

Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this vulnerability. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

References:

]]> http://www.fortiguard.com/advisory/FGA-2010-35.html http://www.fortiguard.com/advisory/FGA-2010-35.html Mon, 19 Jul 2010 00:00:00 -0800 Microsoft Security Bulletin for July 13, 2010
RankMalware VariantPercentageTop 100 Shift
MS Bulletin Number Microsoft Bulletin TitleSeverityImpact of VulnerabilityAffected SoftwareCVE ID
MS10-042Vulnerability in Help and SupportCenter Could Allow Remote Code Execution (2229593)CriticalRemote Code ExecutionMicrosoft Windows CVE-2010-1885
MS10-043Vulnerability in Canonical Display Driver Could Allow Remote Code Execution (2032276)CriticalRemote Code ExecutionMicrosoft Windows CVE-2009-3678
MS10-044Vulnerabilities in Microsoft Office Access ActiveX Controls Could Allow Remote Code Execution (982335)CriticalRemote Code ExecutionMicrosoft Office CVE-2010-0814
CVE-2010-1881
MS10-045Vulnerability in Microsoft Office Outlook Could Allow Remote Code Execution (978212)ImportantRemote Code ExecutionMicrosoft Office CVE-2010-0266


Threat Remediation


Fortinet provides coverage on Microsoft vulnerabilities in July 13, 2010.

CVE NumberSignature Name
CVE-2010-0266MS.Outlook.SMB.Attachment.Spoofing
CVE-2010-0814MS.Office.Access.ActiveX.Controls.Code.Execution
CVE-2010-1881MS.Office.ACCWIZ.DLL.Uninitialized.Variable.Code.Execution
CVE-2010-1885MS.Windows.Help.Center.Protocol.Malformed.Escape.Sequence
CVE-2009-3678MS.Canonical.Display.Code.Execution

For more information on new and enhanced signatures, visit the IPS Service Update History. If you require more information, contact the FortiGuard Team using our Contact Us web page.


Document History


Revision DateVersion Number
Tuesday, July 13 20101Initial Documentation.


Reference:
]]> http://www.fortiguard.com/advisory/FGA-2010-34.html http://www.fortiguard.com/advisory/FGA-2010-34.html Tue, 13 Jul 2010 00:00:00 -0800 Adobe Security Bulletin for June 29, 2010
Adobe Vulnerability Identifier Adobe Bulletin DescriptionSeverityAffected SoftwareCVE ID
APSB10-15These vulnerabilities, including CVE-2010-1297 referenced in Security Advisory APSA10-01, could cause the application to crash and could potentially allow an attacker to take control of the affected system. CriticalAdobe Reader and Acrobat CVE-2010-1240
CVE-2010-1285
CVE-2010-1295
CVE-2010-1297
CVE-2010-2168
CVE-2010-2201
CVE-2010-2202
CVE-2010-2203
CVE-2010-2204
CVE-2010-2205
CVE-2010-2206
CVE-2010-2207
CVE-2010-2208
CVE-2010-2209
CVE-2010-2210
CVE-2010-2211
CVE-2010-2212


Threat Remediation


Fortinet has provided coverage on these Adobe vulnerabilities since June 24, 2010.

CVE NumberSignature Name
CVE-2010-1240PDF.With.Launch.Action
CVE-2010-1285Adobe.Flash.Player.Authplay.DLL.SWF.Handling.Code.Execution
CVE-2010-2168Adobe.Reader.PDF.File.Embeded.Stream.Code.Execution
[previous name: Adobe.0day.23641]
CVE-2010-2201Adobe.Reader.PDF.File.Invalid.Pointer.Code.Execution
[previous name: Adobe.0day.23642]
CVE-2010-2202Adobe.PDF.3difr.x3d.Memory.Corruption
[previous name: Adobe.0day.23644]
CVE-2010-2203Adobe.Reader.RichMedia.Memory.Corruption
CVE-2010-2204Adobe.Reader.Acrobat.PDF.File.Memory.Corruption
[previous name: Adobe.0day.23650]
CVE-2010-2207Adobe.Reader.Cooltype.Compressed.Stream.Code.Execution
[previous name: Adobe.0day.23647]
CVE-2010-2208Adobe.Reader.Crafted.Oject.Code.Execution
[previous name: Adobe.0day.23649]
CVE-2010-2209Adobe.Reader.CoolType.DLL.PDF.Handling.Memory.Corruption
[previous name: Adobe.0day.23643]
CVE-2010-2210Adobe.PDF.Malformed.Stream.Memory.Corruption
[previous name: Adobe.0day.23646]
CVE-2010-2211Adobe.PDF.Malformed.ICCBased.Memory.Corruption
[previous name: Adobe.0day.23640]

For more information on new and enhanced signatures, visit the IPS Service Update History. If you require more information, contact the FortiGuard Team using our Contact Us web page.


Document History


Revision DateVersion Number
Wednesday, June 30 20101Initial Documentation.


]]> http://www.fortiguard.com/advisory/FGA-2010-33.html http://www.fortiguard.com/advisory/FGA-2010-33.html Tue, 29 Jun 2010 00:00:00 -0800 Threat Landscape Report - June 2010 Edition

Table of Contents:


FortiGuard Labs

Exploits and Intrusion Prevention



Top 10 Attacks & Regions



The top 10 attack attempts detected for this period follow, ranked by the number of valid attack cases reported. Valid attack cases are defined as threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of the accumulated daily incidents reported during this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Critical issues are outlined in bold. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the attack's debut in the Top 100. Figure 1a shows a daily record of attack cases reported for this period's Top 5 attacks. Figure 1b below shows the Top 5 regions attacked in comparison to total attack cases reported this period.
RankVulnerabilityPercentageSeverityTop 100 Shift
1Java.Deployment.Toolkit.Launch.Method.Access60.2Critical-
2MS.IE.Userdata.Behavior.Code.Execution17.2Critical-
3MS.DCERPC.NETAPI32.Buffer.Overflow12.8Critical-
4Gumblar.Botnet6.7Critical-
5MS.IE.Event.Invalid.Pointer.Memory.Corruption5.1Critical+13
6Apache.Expect.Header.XSS4.2Medium+1
7FTP.USER.Command.Overflow3.7High+1
8AWStats.Rawlog.Plugin.Logfile.Parameter.Input.Validation3.4High-2
9SMTP.Auth.Buffer.Overflow3.3Critical-
10MS.IE.Deleted.DOM.Object.Access.Memory.Corruption3.3Critical+4



Figure 1a: Daily attack case activity for top 5 attacks

Figure 1b: Top 5 regions by number of attack cases


New Vulnerability Coverage



There were a total of 201 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 71 were reported to be actively exploited (35.3%).

Figure 1c breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

For more information, observe the detailed reports for this period at:

Figure 1c: New vulnerability coverage for this edition, categorized by severity

Malware Today



Top 10 Variants



Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

RankMalware VariantPercentageTop 100 Shift
1
Adobe Vulnerability Identifier Adobe Bulletin DescriptionSeverityAffected SoftwareCVE ID
APSB10-14Vulnerabilities that can be exploited to cause the application to crash and could potentially allow an attacker to take control of the affected system.CriticalAdobe Flash Player CVE-2008-4546
CVE-2009-3793
CVE-2010-1297
CVE-2010-2160
CVE-2010-2161
CVE-2010-2162
CVE-2010-2163
CVE-2010-2164
CVE-2010-2165
CVE-2010-2166
CVE-2010-2167
CVE-2010-2169
CVE-2010-2170
CVE-2010-2171
CVE-2010-2172
CVE-2010-2173
CVE-2010-2174
CVE-2010-2175
CVE-2010-2176
CVE-2010-2177
CVE-2010-2178
CVE-2010-2179
CVE-2010-2180
CVE-2010-2181
CVE-2010-2182
CVE-2010-2183
CVE-2010-2184
CVE-2010-2185
CVE-2010-2186
CVE-2010-2187
CVE-2010-2188
CVE-2010-2189


Threat Remediation


Fortinet provides coverage on Adobe vulnerabilities since June 09, 2010.

CVE NumberSignature Name
CVE-2010-1297Adobe.Flash.Player.Authplay.DLL.SWF.Handling.Code.Execution
[Previous Name: Adobe.0day.23305]
CVE-2010-2160Adobe.Flash.Player.AVM2.getouterscope.Opcode.Code.Execution
CVE-2010-2161Adobe.Flash.Player.Out.Of.Bounds.Memory.Indexing
CVE-2010-2163Adobe.Flash.Player.AVM2.KeyboardEvent.Memory.Corruption
[Previous Name: FG-VD-10-019-Adobe]
CVE-2010-2164Adobe.Flash.Player.Use.After.Free.Memory.Corruption
CVE-2010-2165Adobe.Flash.Player.Air.DLL.Memory.Corruption
CVE-2010-2166Adobe.Flash.Player.AVM2.ActionScript.Memory.Corruption
[Previous Name: FG-VD-10-001-Adobe]
CVE-2010-2167Adobe.Flash.Player.Embeded.Image.Memory.Corruption
CVE-2010-2170Adobe.Flash.Player.Unspecified.Module.Memory.Corruption
CVE-2010-2171
  • Memory corruption in "Flash10e.ocx" (CVE-2010-2163)
  • Memory corruption through VMWare Tools Service (CVE-2010-2189)

    • The vulnerabilities (CVE-2010-2166, CVE-2010-2163) are triggered when opening and rendering a SWF movie file. A remote attacker could craft a malicious SWF file which exploits either one of these vulnerabilities, allowing them to compromise a system. The vulnerability (CVE-2010-2189) is triggered through a special environment condition when running a flash movie under VMWare and VMWare Tools.

    Solutions:
    FortiGuard Labs released the following signature to protect against this vulnerability:
    • "FG-VD-10-001-Adobe" (CVE-2010-2166)
    • "FG-VD-10-019-Adobe" (CVE-2010-2163)

    References:

    Acknowledgment:
    • Bing Liu of Fortinet's FortiGuard Labs (CVE-2010-2166, CVE-2010-2163)
    • Haifei Li of Fortinet's FortiGuard Labs (CVE-2010-2189)
    ]]> http://www.fortiguard.com/advisory/FGA-2010-30.html http://www.fortiguard.com/advisory/FGA-2010-30.html Thu, 10 Jun 2010 00:00:00 -0800 Fortinet Protects Against Microsoft Windows Help and Support Center Could Allow Remote Code Execution Vulnerability Summary:

    Fortinet's FortiGuard Labs Protects Against a Vulnerability in Microsoft Windows Help and Support Center.

    Impact:

    Remote Code Execution

    Risk:

    Critical

    Affected Software:

    For a list of Microsoft Windows Help and Support Center versions affected, please see the references below.

    Additional Information:

    This vulnerability could allow remote code execution if a user views a specially crafted Web page or clicks a specially crafted link.

    FortiGuard Labs continues to monitor this vulnerability world wide while developing additional mitigation strategies / solutions based off our findings.

    Solutions:

    • FortiGuard Labs released the following signature which covers this specific vulnerability
      • "MS.Windows.Help.Center.Protocol.Malformed.Escape.Sequence" on June 11,2010

    Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this vulnerability. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

    References:

    ]]>     http://www.fortiguard.com/advisory/FGA-2010-31.html http://www.fortiguard.com/advisory/FGA-2010-31.html Thu, 10 Jun 2010 00:00:00 -0800     Fortinet Discovers Microsoft Excel Vulnerability Summary:

    Fortinet's FortiGuard Labs has discovered a memory corruption vulnerability in Microsoft Office Excel, which allows a remote attacker to compromise a system through a malicious document.

    Impact:

    Remote code execution.

    Risk:

    High

    Affected Software:

    For a list of affected software, please refer to the Microsoft Security Bulletin reference below.

    Additional Information:

    One memory corruption vulnerability was discovered in Microsoft Office Excel:
    • Memory corruption in "excel.exe" (CVE-2010-0823)

    The vulnerability is triggered when opening and rendering an Excel file. A remote attacker could craft a malicious document which exploits this vulnerability, allowing them to compromise a system.

    Solutions:

    FortiGuard Labs released the following signature to protect against this vulnerability:
    References:

    Acknowledgment:
    • Bing Liu of Fortinet's FortiGuard Labs
    ]]>     http://www.fortiguard.com/advisory/FGA-2010-28.html http://www.fortiguard.com/advisory/FGA-2010-28.html Tue, 08 Jun 2010 00:00:00 -0800     Microsoft Security Bulletin for June 08, 2010
    MS Bulletin Number Microsoft Bulletin TitleSeverityImpact of VulnerabilityAffected SoftwareCVE ID
    MS10-033Vulnerabilities in Media Decompression Could Allow Remote Code Execution (979902)CriticalRemote Code ExecutionMicrosoft Windows CVE-2010-1879
    CVE-2010-1880
    MS10-034Cumulative Security Update of ActiveX Kill Bits (980195)CriticalRemote Code ExecutionMicrosoft Windows CVE-2010-0252
    CVE-2010-0811
    MS10-035Cumulative Security Update for Internet Explorer (982381)CriticalRemote Code ExecutionMicrosoft Windows, Internet Explorer CVE-2010-1259
    CVE-2010-1262
    CVE-2010-0255
    CVE-2010-1257
    CVE-2010-1264
    MS10-032Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (979559)ImportantElevation of PrivilegeMicrosoft Windows CVE-2010-0485
    CVE-2010-0484
    CVE-2010-1255
    MS10-036Vulnerability?in COM Validation in Microsoft Office Could Allow Remote Code Execution (983235)ImportantRemote Code ExecutionMicrosoft Office CVE-2010-1263
    MS10-037Vulnerability in the OpenType Compact Font Format (CFF)) Driver Could Allow Elevation of Privilege (980218)ImportantElevation of PrivilegeMicrosoft Windows CVE-2010-0819
    MS10-038Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (2027452)ImportantRemote Code ExecutionMicrosoft Office CVE-2010-0822
    CVE-2010-0824
    CVE-2010-1245
    CVE-2010-1246
    CVE-2010-1247
    CVE-2010-1248
    CVE-2010-1249
    CVE-2010-1250
    CVE-2010-1253
    CVE-2010-1254
    CVE-2010-0821
    CVE-2010-0823
    CVE-2010-1251
    CVE-2010-1252
    MS10-039Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2028554)ImportantElevation of PrivilegeMicrosoft Office, Microsoft Server Software CVE-2010-0817
    CVE-2010-1257
    MS10-040Vulnerability in Internet Information Services Could Allow Remote Code Execution (982666)ImportantRemote Code ExecutionMicrosoft Windows CVE-2010-1256
    MS10-041Vulnerability?in Microsoft .NET Framework Could Allow Tampering (981343)ImportantTamperingMicrosoft Windows, Microsoft .NET Framework CVE-2009-0217


    Threat Remediation


    Fortinet provides coverage on Microsoft vulnerabilities since Apr 01, 2010.

    CVE NumberSignature Name
    http://www.fortiguard.com/advisory/FGA-2010-29.html http://www.fortiguard.com/advisory/FGA-2010-29.html Tue, 08 Jun 2010 00:00:00 -0800 Fortinet Protects Against Adobe Flash Player, Adobe Reader and Adobe Acrobat Vulnerability Summary:

    Fortinet's FortiGuard Labs Protects Against a Vulnerability in Adobe Products.

    Impact:

    System Compromise

    Risk:

    Critical

    Affected Software:

    For a list of Adobe Products' versions affected, please see the references below.

    Additional Information:

    This vulnerability could allow an attacker to take control of the affected system by leveraging a vulnerability in Flash Player or authplay.dll component in Adobe Reader and Acrobat.

    FortiGuard Labs continues to monitor this vulnerability world wide while developing additional mitigation strategies / solutions based off our findings.

    Solutions:

    • FortiGuard Labs released the following signature which covers this specific vulnerability
      • "Adobe.0day.23305" on June 08,2010

    Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this vulnerability. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

    References:

    ]]>     http://www.fortiguard.com/advisory/FGA-2010-27.html http://www.fortiguard.com/advisory/FGA-2010-27.html Mon, 07 Jun 2010 00:00:00 -0800     Threat Landscape Report - May 2010 Edition

    Table of Contents:


    FortiGuard Labs

    Exploits and Intrusion Prevention



    Top 10 Attacks & Regions



    The top 10 attack attempts detected for this period follow, ranked by the number of valid attack cases reported. Valid attack cases are defined as threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of the accumulated daily incidents reported during this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Critical issues are outlined in bold. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the attack's debut in the Top 100. Figure 1a shows a daily record of attack cases reported for this period's Top 5 attacks. Figure 1b below shows the Top 5 regions attacked in comparison to total attack cases reported this period.
    RankVulnerabilityPercentageSeverityTop 100 Shift
    1Java.Deployment.Toolkit.Launch.Method.Access62.5Criticalnew
    2MS.IE.Userdata.Behavior.Code.Execution16.3Critical-
    3MS.DCERPC.NETAPI32.Buffer.Overflow12.5Critical-
    4Gumblar.Botnet11.8Critical-3
    5Sasfis.Botnet4.2High-1
    6AWStats.Rawlog.Plugin.Logfile.Parameter.Input.Validation3.6High-
    7Apache.Expect.Header.XSS3.6Medium-
    8FTP.USER.Command.Overflow3.5High-3
    9SMTP.Auth.Buffer.Overflow3.2Critical-1
    10MS.Content.Management.Server.Code.Execution1.8Critical-1



    Figure 1a: Daily attack case activity for top 5 attacks

    Figure 1b: Top 5 regions by number of attack cases


    New Vulnerability Coverage



    There were a total of 102 vulnerabilities added to FortiGuard IPS coverage this period.
    Of these added vulnerabilities, 33 were reported to be actively exploited (32.4%).

    Figure 1c breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

    For more information, observe the detailed reports for this period at:

    Figure 1c: New vulnerability coverage for this edition, categorized by severity

    Malware Today



    Top 10 Variants



    Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

    ]]> http://www.fortiguard.com/reports/roundup_may_2010.htmlhttp://www.fortiguard.com/reports/roundup_may_2010.htmlTue, 01 Jun 2010 00:00:00 -0800 Adobe Security Bulletin for May 26, 2010
    RankMalware VariantPercentageTop 100 Shift
    1W32/Pushdo.RD!tr.dldr12.6new
    Adobe Vulnerability Identifier Adobe Bulletin DescriptionSeverityAffected SoftwareCVE ID
    APSB10-13Vulnerabilities that can be exploited by opening malicious .ASL, .ABR, or .GRD file.CriticalAdobe Photoshop CS4 CVE-2010-1296


    Threat Remediation


    Fortinet provides coverage on Adobe vulnerabilities in May 20, 2010.

    CVE NumberSignature Name
    CVE-2010-1296Adobe.Photoshop.Style.Layer.Code.Execution

    For more information on new and enhanced signatures, visit the IPS Service Update History. If you require more information, contact the FortiGuard Team using our Contact Us web page.


    Document History


    Revision DateVersion Number
    Wednesday, May 26 20101Initial Documentation.


    Reference:
    ]]> http://www.fortiguard.com/advisory/FGA-2010-26.html http://www.fortiguard.com/advisory/FGA-2010-26.html Wed, 26 May 2010 00:00:00 -0800 Fortinet Investigates Microsoft Canonical Display Driver Vulnerability Summary:

    Fortinet's FortiGuard Labs Investigates a Vulnerability in Microsoft Canonical Display Driver.

    Impact:

    DoS/Possible Code Execution

    Risk:

    High

    Affected Software:

    For a list of Microsoft Canonical Display Driver versions affected, please see the references below.

    Additional Information:

    This is a vulnerability being exploited that could cause the affected system to stop responding and automatically restart. The possibility of remote code execution can't be excluded.

    FortiGuard Labs continues to monitor this vulnerability world wide while developing additional mitigation strategies / solutions based off our findings.

    References:

    ]]>     http://www.fortiguard.com/advisory/FGA-2010-25.html http://www.fortiguard.com/advisory/FGA-2010-25.html Wed, 19 May 2010 00:00:00 -0800     Fortinet Discovers Multiple Adobe Shockwave Player Vulnerabilities (APSB10-12) Summary:

    Fortinet's FortiGuard Labs has discovered seven vulnerabilities in Adobe Shockwave Player that could compromise the affected system.

    Impact:

    System Compromise

    Risk:

    Critical

    Affected Software:

    For a list of Adobe versions affected, please see the references below.

    Additional Information:
    • Memory Corruption occurs when Shockwave Player parses ".dir" media file that can lead to exploitation. (CVE-2010-1280,CVE-2010-1286,CVE-2010-1287,CVE-2010-1289,CVE-2010-1290,CVE-2010-1291).
    • Heap overflow that can lead to exploitation. (CVE-2010-1288).

    Vulnerabilities are being exploited to run malicious code on the affected system.

    Solutions:
    • Users should apply the solution provided by Adobe.
    • FortiGuard Labs released the following signatures to protect against these vulnerabilities
      • "Adobe.Shockwave.Player.Dir.Invalid.Length.Code.Execution", previously released as "FG-VD-10-013-Adobe" (CVE-2010-1280)
      • "Adobe.Shockwave.Player.Dir.File.DEMX.Tag.Memory.Corruption", previously released as "FG-VD-10-004-Adobe" (CVE-2010-1286)
      • "Adobe.Shockwave.Player.Dir.File.Length.Field.Memory.Corruption", previously released as "_FG-VD-10-006-Adobe" (CVE-2010-1287)
      • "Adobe.Shockwave.Player.Dir.File.Parsing.Heap.Exhaustion", previously released as "FG-VD-10-007-Adobe" (CVE-2010-1288)
      • "Adobe.Shockwave.Player.Dir.File.Handling.Memory.Corruption", previously released as "FG-VD-10-008-Adobe" (CVE-2010-1289)
      • "Adobe.Shockwave.Player.IML32.Dll.Memory.Corruption", previously released as "FG-VD-10-011-Adobe" (CVE-2010-1290)
      • "Adobe.Shockwave.Player.Dir.File.Parsing.Access.Violation", previously released as "FG-VD-10-009-Adobe" (CVE-2010-1291)


    References:

    Acknowledgment:
    • Honggang Ren of Fortinet's FortiGuard Labs (CVE-2010-1280,CVE-2010-1286,CVE-2010-1287,CVE-2010-1289,CVE-2010-1290,CVE-2010-1291,CVE-2010-1288).
    ]]>     http://www.fortiguard.com/advisory/FGA-2010-24.html http://www.fortiguard.com/advisory/FGA-2010-24.html Wed, 12 May 2010 00:00:00 -0800     Adobe Security Bulletin for May 11, 2010
    Adobe Vulnerability Identifier Adobe Bulletin DescriptionSeverityAffected SoftwareCVE ID
    APSB10-11Vulnerabilities that could lead to cross-site scripting and information disclosure.ImportantColdFusion 8.0, 8.0.1, 9.0 and earlier versions CVE-2009-3467
    CVE-2010-1293
    CVE-2010-1294
    APSB10-12Vulnerabilities being exploited to run malicious code on the affected system.CriticalShockwave Player 11.5.6.606 and earlier versions CVE-2010-0127
    CVE-2010-0128
    CVE-2010-0129
    CVE-2010-0130
    CVE-2010-0986
    CVE-2010-0987
    CVE-2010-1280
    CVE-2010-1281
    CVE-2010-1282
    CVE-2010-1283
    CVE-2010-1284
    CVE-2010-1286
    CVE-2010-1287
    CVE-2010-1288
    CVE-2010-1289
    CVE-2010-1290
    CVE-2010-1291
    CVE-2010-1292


    Threat Remediation


    Fortinet provides coverage on Adobe vulnerabilities in May 11, 2010.

    CVE NumberSignature Name
    CVE-2010-1293Adobe.ColdFusion.logintowizard.cfm.XSS
    CVE-2010-0127Adobe.Shockwave.Player.Dir.File.Boundary.Error
    CVE-2010-0128Adobe.Shockwave.Player.Dir.File.Signedness.Error
    CVE-2010-0129Adobe.Shockwave.Player.Dir.File.Integer.Overflow
    CVE-2010-0130Adobe.Shockwave.Player.Dir.File.Memory.Corruption
    CVE-2010-0986Adobe.Shockware.Player.Parsing.Dir.File.Memory.Corruption
    CVE-2010-0987Adobe.Shockware.Player.Parsing.Dir.File.Buffer.Overflow
    CVE-2010-1280Adobe.Shockwave.Player.Dir.Invalid.Length.Code.Execution
    [Previous Name: FG-VD-10-013-Adobe]
    CVE-2010-1281Adobe.Shockwave.Player.Offset.Underflow.Memory.Corruption
    CVE-2010-1282Adobe.Shockwave.Player.Dir.File.ATOM.Size.DoS
    CVE-2010-1283Adobe.Shockwave.Player.3D.Parsing.Memory.Corruption
    CVE-2010-1284Adobe.Shockwave.Player.Dir.Invalid.Value.Code.Execution
    CVE-2010-1286 ]]> http://www.fortiguard.com/advisory/FGA-2010-23.html http://www.fortiguard.com/advisory/FGA-2010-23.html Tue, 11 May 2010 00:00:00 -0800 Microsoft Security Bulletin for May 11, 2010
    MS Bulletin Number Microsoft Bulletin TitleSeverityImpact of VulnerabilityAffected SoftwareCVE ID
    MS10-030Vulnerability in Outlook Express and Windows Mail Could Allow Remote Code Execution (978542)CriticalRemote Code ExecutionMicrosoft Windows CVE-2010-0816
    MS10-031Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution (978213)CriticalRemote Code ExecutionMicrosoft Office, Microsoft Visual Basic for Applications CVE-2010-0815


    Threat Remediation


    Fortinet provides coverage on Microsoft vulnerabilities in May 12, 2010.

    CVE NumberSignature Name
    CVE-2010-0815MS.Windows.VBE6.DLL.Stack.Memory.Corruption
    CVE-2010-0816MS.Windows.Mail.Client.Integer.Overflow

    For more information on new and enhanced signatures, visit the IPS Service Update History. If you require more information, contact the FortiGuard Team using our Contact Us web page.


    Document History


    Revision DateVersion Number
    Tuesday, May 11 20101Initial Documentation.


    Reference:
    ]]>     http://www.fortiguard.com/advisory/FGA-2010-22.html http://www.fortiguard.com/advisory/FGA-2010-22.html Tue, 11 May 2010 00:00:00 -0800     Adobe Security Bulletin for April 30, 2010
    Adobe Vulnerability Identifier Adobe Bulletin DescriptionSeverityAffected SoftwareCVE ID
    APSB10-10A vulnerability being exploited by opening a malicious .TIFF file in Photoshop CS4.CriticalAdobe Photoshop CS4 version 11.0.0 CVE-2010-1279


    Threat Remediation


    Fortinet provides coverage on Adobe vulnerabilities in May 05, 2010.

    CVE NumberSignature Name
    CVE-2010-1279Adobe.Photoshop.CS4.TIFF.File.Processing.Code.Execution

    For more information on new and enhanced signatures, visit the IPS Service Update History. If you require more information, contact the FortiGuard Team using our Contact Us web page.


    Document History


    Revision DateVersion Number
    Friday, April 30 20101Initial Documentation.


    Reference:
    ]]>     http://www.fortiguard.com/advisory/FGA-2010-21.html http://www.fortiguard.com/advisory/FGA-2010-21.html Tue, 04 May 2010 00:00:00 -0800     Fortinet Protects Against Microsoft SharePoint Elevation of Privilege Vulnerability Summary:

    Fortinet's FortiGuard Labs Protects Against a Vulnerability in Microsoft SharePoint.

    Impact:

    Privilege Escalation

    Risk:

    Medium

    Affected Software:

    For a list of Microsoft SharePoint versions affected, please see the references below.

    Additional Information:

    It is a vulnerability that could allow an attacker to inject a script resulting in an elevation of privilege within the SharePoint site.

    FortiGuard Labs continues to monitor this vulnerability world wide while developing additional mitigation strategies / solutions based off our findings.

    Solutions:

    • FortiGuard Labs released the following signature which covers this specific vulnerability
      • "MS.SharePoint.Server.Help.aspx.XSS" on May 03, 2010

    Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this vulnerability. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

    References:

    ]]>     http://www.fortiguard.com/advisory/FGA-2010-20.html http://www.fortiguard.com/advisory/FGA-2010-20.html Fri, 30 Apr 2010 00:00:00 -0800     Threat Landscape Report - April 2010 Edition

    Table of Contents:


    FortiGuard Labs

    Exploits and Intrusion Prevention



    Top 10 Attacks & Regions



    The top 10 attack attempts detected for this period follow, ranked by the number of valid attack cases reported. Valid attack cases are defined as threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of the accumulated daily incidents reported during this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Critical issues are outlined in bold. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the attack's debut in the Top 100. Figure 1a shows a daily record of attack cases reported for this period's Top 5 attacks. Figure 1b below shows the Top 5 regions attacked in comparison to total attack cases reported this period.
    RankVulnerabilityPercentageSeverityTop 100 Shift
    1Gumblar.Botnet42.8Critical-
    2MS.IE.Userdata.Behavior.Code.Execution22.2Critical-
    3MS.DCERPC.NETAPI32.Buffer.Overflow21.5Critical-
    4Sasfis.Botnet7.2High+1
    5FTP.USER.Command.Overflow5.9High+1
    6AWStats.Rawlog.Plugin.Logfile.Parameter.Input.Validation5.5High+1
    7Apache.Expect.Header.XSS5.3Medium+1
    8SMTP.Auth.Buffer.Overflow3.3Critical+1
    9MS.Content.Management.Server.Code.Execution3.1Critical+1
    10Crystal.Reports.Path.Traversal3.0Criticalnew



    Figure 1a: Daily attack case activity for top 5 attacks

    Figure 1b: Top 5 regions by number of attack cases


    New Vulnerability Coverage



    There were a total of 108 vulnerabilities added to FortiGuard IPS coverage this period.
    Of these added vulnerabilities, 30 were reported to be actively exploited (27.8%).

    Figure 1c breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

    For more information, observe the detailed reports for this period at:

    Figure 1c: New vulnerability coverage for this edition, categorized by severity

    Malware Today



    Top 10 Variants



    Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

    w
    RankMalware VariantPercentageTop 100 Shift
    1W32/FraudPack.fam!tr28.7 ]]> http://www.fortiguard.com/reports/roundup_april_2010.html http://www.fortiguard.com/reports/roundup_april_2010.html Wed, 28 Apr 2010 00:00:00 -0800 Adobe Security Bulletin for April 13, 2010
    Adobe Vulnerability Identifier Adobe Bulletin DescriptionSeverityAffected SoftwareCVE ID
    APSB10-09Vulnerabilities that could cause the application to crash and could allow an attacker to control the compromised system.CriticalAdobe Reader, Adobe Acrobat CVE-2010-0190
    CVE-2010-0191
    CVE-2010-0192
    CVE-2010-0193
    CVE-2010-0194
    CVE-2010-0195
    CVE-2010-0196
    CVE-2010-0197
    CVE-2010-0198
    CVE-2010-0199
    CVE-2010-0201
    CVE-2010-0202
    CVE-2010-0203
    CVE-2010-0204
    CVE-2010-1241


    Threat Remediation


    Fortinet provides coverage on Adobe vulnerabilities in April 13, 2010.

    CVE NumberSignature Name
    CVE-2010-0192Adobe.Reader.Embeded.Font.Memory.Corruption
    [Previous Name: Adobe.0day.20812]
    CVE-2010-0194Adobe.Reader.LineSetContinuation.Memory.Corruption
    [Previous Name: FG-VD-10-003-Adobe]
    CVE-2010-0195Adobe.Reader.Font.Parsing.Code.Execution
    [Previous Name: Adobe.0day.20803]
    CVE-2010-0196Adobe.Reader.U3D.CLODMeshDeclaration.Memory.Corruption
    [Previous Name: Adobe.0day.20805]
    CVE-2010-0197Adobe.Reader.RichMedia.Memory.Corruption
    [Previous Name: Adobe.0day.20807]
    CVE-2010-1241Adobe.Reader.Acrobat.Pro.CFF.Encodings.Handling.Heap.Overflow
    [Previous Name: FG-VD-10-005-Adobe]

    For more information on new and enhanced signatures, visit the IPS Service Update History. If you require more information, contact the FortiGuard Team using our Contact Us web page.


    Document History


    Revision DateVersion Number
    Tuesday, April 13 20101Initial Documentation.


    Reference:
    ]]>     http://www.fortiguard.com/advisory/FGA-2010-19.html http://www.fortiguard.com/advisory/FGA-2010-19.html Tue, 13 Apr 2010 00:00:00 -0800     Fortinet Discovers Multiple Adobe Reader / Acrobat Vulnerabilities (APSB10-09) Summary:

    Fortinet's FortiGuard Labs has discovered two memory corruption vulnerabilities in Adobe Reader / Acrobat, which allow a remote attacker to compromise a system through a malicious document.

    Impact:

    Remote Code Execution.

    Risk:

    High.

    Affected Software:

    For a list of affected software, please refer to the Adobe Security Bulletin reference below.

    Additional Information:

    Two memory corruption vulnerabilities were discovered in Adobe Reader / Acrobat, each of which is highlighted below:
    • Memory corruption in "3difr.x3d". The vulnerable X3D component is a plugin used to display 3D material, which when present in a PDF document, can lead to exploitation (CVE-2010-0194).
    • Memory corruption through heap overflow in "CoolType.dll" (CVE-2010-1241).
    The vulnerabilities are triggered when opening and rendering a PDF document. A remote attacker could craft a malicious document which exploits either one of these vulnerabilities, allowing them to compromise a system.

    Solutions:
    FortiGuard Labs released the following signatures to protect against these vulnerabilities
    • "Adobe.Reader.DeviceRGB.Subtype.Stream.Memory.Corruption", previously released as "FG-VD-10-003-Adobe" (CVE-2010-0194).
    • "Adobe.Reader.Acrobat.Pro.CFF.Encodings.Handling.Heap.Overflow", previously released as "FG-VD-10-005-Adobe" (CVE-2010-1241).
    References:

    Acknowledgment:
    • Bing Liu of Fortinet's FortiGuard Labs (CVE-2010-0194)
    • Haifei Li of Fortinet's FortiGuard Labs (CVE-2010-1241)
    ]]>     http://www.fortiguard.com/advisory/FGA-2010-18.html http://www.fortiguard.com/advisory/FGA-2010-18.html Tue, 13 Apr 2010 00:00:00 -0800     Fortinet Discovers Multiple Microsoft Visio Vulnerabilities (MS10-028) Summary:

    Fortinet's FortiGuard Labs has discovered two memory corruption vulnerabilities in Microsoft Office Visio, which allow a remote attacker to compromise a system through a malicious document.

    Impact:

    Remote Code Execution.

    Risk:

    High.

    Affected Software:

    For a list of affected software, please refer to the Microsoft Security Bulletin reference below.

    Additional Information:

    Two memory corruption vulnerabilities were discovered in Microsoft Office Visio, each of which is highlighted below:
    • Memory corruption in "vislib.dll" (CVE-2010-0254)
    • Memory corruption in "vislib.dll" (CVE-2010-0256)
    The vulnerabilities are triggered when opening and rendering a Visio file. A remote attacker could craft a malicious document which exploits either one of these vulnerabilities, allowing them to compromise a system.

    Solutions:
    FortiGuard Labs released the following signatures to protect against these vulnerabilities
    • "MS.Visio.Attribute.Memory.Corruption", previously released as "FG-VD-09-006-Microsoft" (CVE-2010-0254).
    • "MS.Visio.objectID.Memory.Corruption", previously released as "FG-VD-09-005-Microsoft" (CVE-2010-0256).
    References:

    Acknowledgment:
    • Bing Liu of Fortinet's FortiGuard Labs.
    ]]>     http://www.fortiguard.com/advisory/FGA-2010-17.html http://www.fortiguard.com/advisory/FGA-2010-17.html Tue, 13 Apr 2010 00:00:00 -0800