All Posts

3 posts

Defense for the 0-Day in IE8

Microsoft is currently dealing with an exploit (KB2847140) for a 0-day vulnerability in Internet Explorer (IE). Machines attacked by this exploit will yield full control to the attacker and allow him to install more advanced malware such as the well known RAT Poison Ivy. The exploit was first discovered last Wednesday on a website of the Department of Labor specialized in nuclear technology. It has since spread to other websites and is now also available in Metasploit. The exploit works only against IE version 8 (IE8), which limits the exposure to about 42% of all systems, according to last count from our BrowserCheck service.

ie_march

IE8 is the latest version available on Windows XP, and was also the original version installed on Windows 7. This explains the rather high numbers that we are seeing for this older browser. Windows 7 users have access to IE9, which is not affected by this attack and has a much better security architecture. Upgrading to IE9 is a straightforward way to defend against the attack.

Continue reading …

Update2: New 0-day in Microsoft Internet Explorer 8

Update2:

Microsoft published Fix-it 50992 which their Appcompat shim technology to neutralize the vulnerability. The Fix-it can be accessed at KB2847140

Update:

A Metasploit module has been made available for the 0-day vulnerability, which will makes it easier to convince IT managment of the robustness and applicability of the exploit.

Original:

Yesterday Microsoft published security advisory KB2847140 about an exploit for 0-day vulnerability (CVE-2013-1347) in Internet Explorer 8. The exploit is in active use in the wild, for example on the compromised website at the US Department of Labor earlier this week, Initially it was widely reported that the website was exploiting a known vulnerability in Internet Explorer to then install the remote access tool Poison Ivy.

Screen Shot 2013-05-04 at 6.50.57 PM

Continue reading …

Exploit for Java 7u17 in Use in the Wild

In case you have not yet patched your Java installation to the latest version, Java 7u21 from last Tuesday April 16, here are three reasons to do so rather quickly:

  • On April 17, POC code for one of the vulnerabilities(CVE-2012-2423) in 7u17 was published by Jeroen Frijters, who discovered the vulnerability originally and was credited by Oracle in their release announcement
  • On April 20, a Metasploit module was released that the POC code CVE-2012-2423 and allows penetration testers to attack Java 7u17 and to take control of the targeted machine
  • On April 21, F-secure published a blog post saying that they are detecting attacks in the wild against that same vulnerabilty using code that has some similar named code structures as the original POC code and the Metasploit module.

If you need Java, you should patch now. If this is not possible, disconnect Java from the browser as the attack code is using the browser attack vector.

This exploit is unrelated to a new vulnerability discovered in Java 7u21, the latest available version, that Adam Gowdiak from Security Exploration submitted to the Oracle Security Team on April 22. The information on the vulnerability is kept private and no known exploits are available.