September 2013 – New IE 0-day – Update
Last updated on: September 6, 2020
Update 3: A Metasploit module has been posted for this vulnerability, it is currently limited to Windows 7 and IE9, but as Wei Chen points out in his post on the Rapid7 community site, all version of IE are infected. Fireeye has also detected three more groups that have started to use CVE-2013-3893 in their attacks and provide more insight in their blog post. Installing the Fix-It that Microsoft has provided in their KB2887505 artice is now even more importnant.
Update 2: FireEye has posted more technical information on the exploits and their geographical distruibution. They believe the first attacks were registered on August 19th. They also identfied the group that is running the exploit campaign as the same that attacked bit9 some time ago, because they used the same e-mail address to register the C&C domains in both cases.
Update: Microsoft has published a post on the SRD blog that provides technical background information on the exploit. They also point out that the Enhanced Mitigation Experience Toolkit (EMET) is preventing the exploit, as it has multiple cases in the past already, for example in MS13-038 and MS13-008, previous 0-days for Internet Explorer, addressed in May and January of this year respectively. EMET should be high on your list of additional security tools to deploy.
BTW, QualysGuard detects this vulnerability as QID 100164.
Original: Microsoft just issued security advisory KB2887505 to address an actively exploited vulnerability in Internet Explorer (IE). The KB provides a Fix-It solution that uses the appcompat shim to patch the mshtml.dll. The current cases are targeting only Windows XP and Windows 7 running IE8 and IE9, but other versions are also affected by the vulnerability.
We will keep this blog post updated as we get more information.