Qualys Blog

www.qualys.com
wkandek

September 2013 – New IE 0-day – Update

Update 3: A Metasploit module has been posted for this vulnerability, it is currently limited to Windows 7 and IE9, but as Wei Chen points out in his post on the Rapid7 community site, all version of IE are infected. Fireeye has also detected three more groups that have started to use CVE-2013-3893 in their attacks and provide more insight in their blog post. Installing the Fix-It that Microsoft has provided in their KB2887505 artice is now even more importnant.

Update 2: FireEye has posted more technical information on the exploits and their geographical distruibution. They believe the first attacks were registered on August 19th. They also identfied the group that is running the exploit campaign as the same that attacked bit9 some time ago, because they used the same e-mail address to register the C&C domains in both cases.

Update: Microsoft has published a post on the SRD blog that provides technical background information on the exploit. They also point out that the Enhanced Mitigation Experience Toolkit (EMET) is preventing the exploit, as it has multiple cases in the past already, for example in MS13-038 and MS13-008, previous 0-days for Internet Explorer, addressed in May and January of this year respectively. EMET should be high on your list of additional security tools to deploy.

BTW, QualysGuard detects this vulnerability as QID 100164.

Original: Microsoft just issued security advisory KB2887505 to address an actively exploited vulnerability in Internet Explorer (IE). The KB provides a Fix-It solution that uses the appcompat shim to patch the mshtml.dll. The current cases are targeting only Windows XP and Windows 7 running IE8 and IE9, but other versions are also affected by the vulnerability.

The attacker exploits the vulnerability by setting up a malicious webpage which uses JavaScript code to prepare a use-after-free condition, where previously allocated memory, whose content the attacker can control, is accessed after it has been marked as not used anymore. The exploit depends on a Microsoft Office DLL which has been compiled without Adress Space Layout Randomization (ALSR) to locate the right memory segment to attack, but this DLL is extremely common and most likely will not lower the affected population by much. While the attack is very targeted and geographically limited to Japan, it might not affect you at the moment. But with the publication of the shim, other attackers can now analyze the condition fixed and will be able to produce an equivalent exploit fairly quickly. Therefore we suggest applying the Fix-It as soon as possible if you use IE to access the Internet.

We will keep this blog post updated as we get more information.

Leave a Reply