Skip to main content


Showing posts from June, 2013

MS13-051 / CVE-2013-1331 Office zero day patched by Microsoft

Here's some info on the now-patched (as of June 11 2013) zero day that's starting to come out.

MSFT advisory:


Sample on VT from March 4 2013 (credit Eromang):

And also a quick note that while no one submitted any CVE-2013-1331 samples to Cryptam before the public release, we would have detected the suspicious ScriptBridge reference in the above sample:

Update: @eromang has found samples of this exploit dating back to 2009, check out his blog post.

Tomato Garden Campaign: Part 2 - An Old "New" Exploit

Following up to our previous post, our analysis has shown the exploit is patched with MS12-060, however, it is not CVE-2012-1856 which deals with MSCOMCTL.OCX TabStrip.

The exploit we found used in targeted spear phishing in-the-wild uses the Toolbar activeX control to create a stack overflow - not TabStrip, but this new exploit is mitigated with the MS12-060 patch, making it old. Most of the samples extract a 256 byte xored executable after 0x8000.

As the exploit is indirectly patched, we will release all the related identifiers in the hopes that commercial AV can increase their detection rates for this exploit. As the current top document exploit is CVE-2012-0158, this new exploit requires a later patch to fix, and has lower detection rates than CVE-2012-0158 and CVE-2012-1856 we expect it to become even more popular.


Tomato Garden Campaign - Possible Microsoft Office zero day in the wild used against Tibet and China Democracy activists

Update:  So far some of the samples are killed with ms12-060 but are not a known exploit, so this might be a new, but patched exploit. The purpose of this campaign might be to evade AV while going after users without the latest patch - all samples are at 7 or 8 of 43 max on VirusTotal.

We are currently examining 40 samples of an unconfirmed zeroday in Microsoft Office circulating against Pro Democracy and Tibet activists. One of the exploit documents contains a "PittyTiger" payload, however, several different payload implants have been observed. The exploit is contained in a .doc file but could be delivered via RTF as well. We've seen attacks since June 4 2013 using payloads compiled on May 28, and some of the command and control domains have been registered as late as today June 6 2013.

We have provided the samples to Microsoft and are awaiting confirmation.

We will release detection signatures for our Cryptam document malware scanner - free online scanning at Cryptam.…