CVE-2014-4148
published 2014-10-15CVE-2014-4148: win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8…
PriorityP188high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-06-15
Exploited in the wild
EPSS
50.70%
98.8th percentile
win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted TrueType font, as exploited in the wild in October 2014, aka "TrueType Font Parsing Remote Code Execution Vulnerability."
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| qemu | qemu | >= 0 < 2.0.0+dfsg-2ubuntu1.3 | 2.0.0+dfsg-2ubuntu1.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Black Lambert (CVE-2014-4148 payload) contains internal config markers: toolType=wl, build=132914, versionName=2.0.0 — scan memory/config blobs for these strings to identify Black Lambert implants. ↗
- →White Lambert (second-stage tool linked to CVE-2014-4148 campaign) runs in kernel mode and sniffs network traffic for specially crafted packets; detection should focus on unsigned kernel-mode drivers and exploitation of the SiSoftware Sandra signed driver. ↗
- →The CVE-2014-4148 exploit is delivered via a crafted TrueType Font (TTF) file; monitor win32k.sys for anomalous TTF parsing activity and alert on kernel-mode driver crashes or unexpected code execution originating from font processing. ↗
- ·Only one Black Lambert sample is publicly known; the two hashes (loader hdmsvc.exe and payload winlib.dll) represent the complete known sample set for this CVE's direct payload. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv7.5HIGH
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Windows Remote Code Execution Vulnerability
cisa·2022-05-25·CVSS 8.8
CVE-2014-4148 [HIGH] CWE-94 Microsoft Windows Remote Code Execution Vulnerability
Vulnerability: Microsoft Windows Remote Code Execution Vulnerability
Affected: Microsoft Windows
A remote code execution vulnerability exists when the Windows kernel-mode driver improperly handles TrueType fonts.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2014-4148
Remediation Due Date: 2022-06-15
GHSA
GHSA-4wxx-xmrx-3xq9: win32k
ghsa_unreviewed·2022-05-14
CVE-2014-4148 [HIGH] CWE-94 GHSA-4wxx-xmrx-3xq9: win32k
win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted TrueType font, as exploited in the wild in October 2014, aka "TrueType Font Parsing Remote Code Execution Vulnerability."
OSV
qemu, qemu-kvm vulnerabilities
osv·2014-09-08·CVSS 7.5
CVE-2013-4148 qemu, qemu-kvm vulnerabilities
qemu, qemu-kvm vulnerabilities
Michael S. Tsirkin, Anthony Liguori, and Michael Roth discovered multiple
issues with QEMU state loading after migration. An attacker able to modify
the state data could use these issues to cause a denial of service, or
possibly execute arbitrary code. (CVE-2013-4148, CVE-2013-4149,
CVE-2013-4150, CVE-2013-4151, CVE-2013-4526, CVE-2013-4527, CVE-2013-4529,
CVE-2013-4530, CVE-2013-4531, CVE-2013-4532, CVE-2013-4533, CVE-2013-4534,
CVE-2013-4535, CVE-2013-4536, CVE-2013-4537, CVE-2013-4538, CVE-2013-4539,
CVE-2013-4540, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182,
CVE-2014-3461)
Kevin Wolf, Stefan Hajnoczi, Fam Zheng, Jeff Cody, Stefan Hajnoczi, and
others discovered multiple issues in the QEMU block drivers. An attacker
able to modify disk ima
VulnCheck
Microsoft Windows Remote Code Execution Vulnerability
vulncheck·2014·CVSS 8.8
CVE-2014-4148 [HIGH] CWE-94 Microsoft Windows Remote Code Execution Vulnerability
Microsoft Windows Remote Code Execution Vulnerability
A remote code execution vulnerability exists when the Windows kernel-mode driver improperly handles TrueType fonts.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cve.org/CVERecord?id=CVE-2014-4148; https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205202/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf; https://www.dropbox.com/s/buxkfotx1kei0ce/Whitepaper%20Shadow%20Broker%20-%20Equation%20Group%20Hack.pdf?dl=0; https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?Docu
No detection rules found.
No public exploits indexed.
Securelist
IT threat evolution Q2 2017
blogs_securelist·2017-08-15
IT threat evolution Q2 2017
Table of Contents
Targeted attacks and malware campaigns
Back to the future: looking for a link between old and new APTs
Lazarus uncovered
Beating the bank
Meet the Lamberts
Malware stories
More vulnerable Internet of Things things
From extortion to ExPetr
Authors
David Emm
## Targeted attacks and malware campaigns
## Back to the future: looking for a link between old and new APTs
This year’s Security Analyst Summit (SAS) included interesting research findings on several targeted attack campaigns. For example, researchers from Kaspersky Lab and King’s College London presented their findings on a possible link between Moonlight Maze , a 20 year old cyber-espionage attack that targeted the Pentagon, NASA and others, and Turla – a very modern APT group.
Contemporary reports on M
Securelist
IT threat evolution Q2 2017
blogs_securelist·2017-08-15
IT threat evolution Q2 2017
Table of Contents
Authors
- David Emm
### Targeted attacks and malware campaigns
#### Back to the future: looking for a link between old and new APTs
This year’s Security Analyst Summit (SAS) included interesting research findings on several targeted attack campaigns. For example, researchers from Kaspersky Lab and King’s College London presented their findings on a possible link between Moonlight Maze, a 20 year old cyber-espionage attack that targeted the Pentagon, NASA and others, and Turla – a very modern APT group.
Contemporary reports on Moonlight Maze show how, starting from 1996, US military and government networks, as well as universities, research institutions and even the Department of Energy, began detecting breaches in their systems. The FBI and the Department of Defense
Securelist
Unraveling the Lamberts Toolkit
blogs_securelist·2017-04-11·CVSS 8.8
[HIGH] Unraveling the Lamberts Toolkit
Table of Contents
- An Overview of the Lamberts
- The Lamberts in Brief – from Black to Gray
- Timeline
- Conclusions
Authors
- GReAT
## An Overview of a Color-coded Multi-Stage Arsenal
Yesterday, our colleagues from Symantec published their analysis of Longhorn, an advanced threat actor that can be easily compared with Regin, ProjectSauron, Equation or Duqu2 in terms of its complexity.
Longhorn, which we internally refer to as “The Lamberts”, first came to the attention of the ITSec community in 2014, when our colleagues from FireEye discovered an attack using a zero day vulnerability (CVE-2014-4148). The attack leveraged malware we called ‘BlackLambert’, which was used to target a high profile organization in Europe.
Since at least 2008, The Lamberts have used multiple sophistica
Securelist
Unraveling the Lamberts Toolkit
blogs_securelist·2017-04-11·CVSS 8.8
[HIGH] Unraveling the Lamberts Toolkit
Table of Contents
An Overview of the Lamberts
The Lamberts in Brief – from Black to Gray
Black Lambert
Blue Lambert
Green Lambert
White Lambert
Pink Lambert
Gray Lambert
Timeline
Codenames and Popular Culture Referenced in Lamberts
Conclusions
Authors
GReAT
## An Overview of a Color-coded Multi-Stage Arsenal
Yesterday, our colleagues from Symantec published their analysis of Longhorn , an advanced threat actor that can be easily compared with Regin, ProjectSauron, Equation or Duqu2 in terms of its complexity.
Longhorn, which we internally refer to as “The Lamberts”, first came to the attention of the ITSec community in 2014, when our colleagues from FireEye discovered an attack using a zero day vulnerability (CVE-2014-4148) . The attack leveraged malware we called ‘BlackLam
Unit42
Super Tuesday: A Patch Tuesday We Won’t Forget
blogs_unit42·2014-10-15·CVSS 7.8
[HIGH] Super Tuesday: A Patch Tuesday We Won’t Forget
Sometimes “Patch Tuesday” comes and goes with little excitement or fanfare; yesterday was not one of those days. In just one day, Oracle released patches for 154 new vulnerabilities, Adobe issued updates for Flash and ColdFusion, and Microsoft released 24 patches of their own. On top of the sheer volume of patches, we learned that three of the Microsoft vulnerabilities were being exploited in targeted attack campaigns.
### Sandworm
The first to drop was the Sandworm Campaign, a report from iSight partners, which described attacks on European and American targets in the month of August using new versions of the BlackEnergy bot, but the group behind the attacks has been operating since at least 2009. The biggest news here was the group’s exploitation of a “new” vulnerability in Windows, CV
Unit42
Super Tuesday: A Patch Tuesday We Won’t Forget
blogs_unit42·2014-10-15·CVSS 7.8
[HIGH] Super Tuesday: A Patch Tuesday We Won’t Forget
## Super Tuesday: A Patch Tuesday We Won’t Forget
Ryan Olson
Published: October 15, 2014
Threat Research
Vulnerabilities
BlackEnergy
ISight
Microsoft
Microsoft Security Bulletin
Patch Tuesday
PowerShell Empire
Sandworm
Sometimes “Patch Tuesday” comes and goes with little excitement or fanfare; yesterday was not one of those days. In just one day, Oracle released patches for 154 new vulnerabilities , Adobe issued updates for Flash and ColdFusion , and Microsoft released 24 patches of their own. On top of the sheer volume of patches, we learned that three of the Microsoft vulnerabilities were being exploited in targeted attack campaigns.
## Sandworm
The first to drop was the Sandworm Campaign , a report from iSight partners, which described attacks on European and American t
Talos
Microsoft Update Tuesday October 2014: Fixes for 4 0-day Vulnerabilities
blogs_talos·2014-10-14·CVSS 7.8
[HIGH] Microsoft Update Tuesday October 2014: Fixes for 4 0-day Vulnerabilities
## Microsoft Update Tuesday October 2014: Fixes for 4 0-day Vulnerabilities
This post was authored by Yves Younan
Microsoft Tuesday is here once again and this month they are releasing a total of eight bulletins. Three of which are rated as critical, while the remaining five are rated as important. There’s a total of 24 CVEs this month, 20 of which were privately disclosed to Microsoft and four which are either publicly known or under active attack, making them 0-day vulnerabilities. Of those four, two are being actively attacked, while two have been publicly disclosed but do not seem to be under attack for supported software. Of the 24 CVEs, 15 are categorized as allowing remote code execution, four as elevation of privilege and three as security feature bypasses.
The first bulletin is
Talos
Microsoft Update Tuesday October 2014: Fixes for 4 0-day Vulnerabilities
blogs_talos·2014-10-14·CVSS 4.3
[MEDIUM] Microsoft Update Tuesday October 2014: Fixes for 4 0-day Vulnerabilities
This post was authored by Yves Younan
Microsoft Tuesday is here once again and this month they are releasing a total of eight bulletins. Three of which are rated as critical, while the remaining five are rated as important. There’s a total of 24 CVEs this month, 20 of which were privately disclosed to Microsoft and four which are either publicly known or under active attack, making them 0-day vulnerabilities. Of those four, two are being actively attacked, while two have been publicly disclosed but do not seem to be under attack for supported software. Of the 24 CVEs, 15 are categorized as allowing remote code execution, four as elevation of privilege and three as security feature bypasses.
The first bulletin is MS14-056 and is the IE bulletin. There’s a total of 14 CVEs and it is rated
arXiv
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
arxiv_fulltext·2025-02-12
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Almuthanna Alageel
and
Sergio Maffeis
Department of Computing
Imperial College London
London, United Kingdom
plain
plain
## Abstract
The scarcity of data and the high complexity of Advanced Persistent Threats (APTs) attacks have created challenges in comprehending their behavior and hindered the exploration of effective detection techniques.
To create an effective APT detection strategy, it is important to examine the Tactics, Techniques, and Procedures (TTPs) that have been reported by the industry. These TTPs can be difficult to classify as either malicious or legitimate. When developing an approach for the next generation of network intrusion detection systems (NIDS), it is necessary to
http://blogs.technet.com/b/srd/archive/2014/10/14/accessing-risk-for-the-october-2014-security-updates.aspxhttp://secunia.com/advisories/60970http://www.securityfocus.com/bid/70429https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-058https://exchange.xforce.ibmcloud.com/vulnerabilities/96995http://blogs.technet.com/b/srd/archive/2014/10/14/accessing-risk-for-the-october-2014-security-updates.aspxhttp://secunia.com/advisories/60970http://www.securityfocus.com/bid/70429https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-058https://exchange.xforce.ibmcloud.com/vulnerabilities/96995https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-4148
2014-10-15
Published
2022-05-25
Added to CISA KEV
Exploited in the wild