navigation bar left navigation bar right

Secunia CSI7
navigation left tab Advisories navigation right tab
navigation left tab Research navigation right tab
navigation left tab Forums navigation right tab
navigation left tab Create Profile navigation right tab
navigation left tab Our Commitment navigation right tab
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Microsoft reports IE zero-day attacks

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Open Discussions

This thread has been marked as resolved.
mogs Microsoft reports IE zero-day attacks
Expert Contributor 17th Sep, 2013 22:05
Ranking: 2265
Posts: 6,268
User Since: 22nd Apr, 2009
System Score: 100%
Location: UK
Summary: All versions of Internet Explorer are vulnerable to remote code execution through a memory corruption bug. Attacks are currently being conducted with exploits that work on IE8 and IE9.

Larry Seltzer
By Larry Seltzer for Zero Day | September 17, 2013 --

Microsoft is reporting an unpatched vulnerability in all versions of Internet Explorer. All versions of IE, other than those running on Windows Server, are vulnerable. This includes Internet Explorer 11 on Windows 8.1 and RT.

The vulnerability comes from a memory corruption bug which could lead to remote code execution. Microsoft says that they are aware of targeted attacks exploiting this vulnerability on Internet Explorer 8 and 9. Exploits such as these are often version-specific, even if the vulnerability affects multiple versions.

Attacks may be blocked by running a Microsoft "Fix it" solution for an earlier vulnerability: CVE-2013-1347 MSHTML Shim Workaround.

The company has not decided how to respond to the vulnerability. Certainly they will write a patch, but whether they schedule it for a Patch Tuesday or go "out of band" is not yet clear.

Microsoft's advisory also says that EMET (the Enhanced Mitigation Experience Toolkit) may be used to mitigate against the vulnerability.

http://www.zdnet.com/microsoft-reports-ie-zero-day...

--

Post "RE: Microsoft reports IE zero-day attacks" has been selected as an answer.
mogs RE: Microsoft reports IE zero-day attacks
Expert Contributor 17th Sep, 2013 22:18
Score: 2265
Posts: 6,268
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Hackers exploit critical IE bug; Microsoft promises patch
IE6 through IE11 harbor vulnerability, but in-the-wild attacks limited to IE8 and IE9


By Gregg Keizer
CareerJournal - Microsoft today said that hackers are exploiting a critical, but unpatched, vulnerability in Internet Explorer 8 (IE8) and Internet Explorer 9 (IE9), and that its engineers are working on an update to plug the hole.

As it often does, the company downplayed the threat.

"There are only reports of a limited number of targeted attacks specifically directed at Internet Explorer 8 and 9, although the issue could potentially affect all supported versions," Dustin Childs, a manager in the Trustworthy Computing group and its usual spokesman, said in a blog post Tuesday morning.

"We are actively working to develop a security update to address this issue," Childs added.

According to Childs and the security advisory Microsoft also published today, the vulnerability affects all supported versions of IE, from the 12-year-old IE6 to the not-yet-officially-released IE11, the browser that will accompany Windows 8.1 when it ships Oct. 18.

"There is no escaping this one," said Andrew Storms, director of DevOps at cloud security vendor CloudPassage, referring to the bug affecting all versions of Microsoft's browser. "IE zero-days are never a good thing, especially when they affect every version," Storms added.

Although Microsoft's advisory did not put it in these terms, the vulnerability can be exploited using classic "drive-by" attack tactics. That means hackers need only lure victims running IE to malicious sites -- or legitimate websites that have previously been compromised and loaded with attack code -- to hijack their browser and plant malware on their Windows PCs.

Until Microsoft produces a patch, the company offered customers several options to protect themselves, including advice on configuring EMET 4.0 and running one of its "Fixit" automated tools to "shim" the DLL that contains the IE rendering engine.

EMET (Enhanced Mitigation Experience Toolkit) is a tool designed for advanced users, primarily enterprise IT professionals, that manually enables anti-exploit technologies such as ASLR (address space layout randomization) and DEP (data execution prevention) for specific applications.

But the Fixit route will be easiest for individual users: Microsoft's posted a link to the Fixit tool on its support site, and customers need only click the icon marked "Enable." Microsoft has used the shim approach before when faced with unexpected attacks against IE.

Based on past practice, Microsoft's Fixit workaround probably uses the Application Compatibility Toolkit to modify the core library of IE -- a DLL (dynamic link library) named "Mshtml.dll" that contains the browser's rendering engine -- in memory each time IE runs. The shim does not quash the bug, but instead makes the browser immune to the attacks Microsoft's seen in the wild thus far.

Users can also temporarily ditch IE for an alternate browser, such as Google's Chrome or Mozilla's Firefox, to stay safe until Microsoft comes up with a permanent fix.

Microsoft did not reply to questions, including when it plans to patch the IE vulnerability. But because the next regularly-scheduled Patch Tuesday is three weeks away, it's possible the Redmond, Wash. company's security team will deliver a so-called "out-of-band" update before Oct. 9.

Out-of-band updates from Microsoft are rare: The last one it shipped was MS13-008, an the emergency patch issued Jan. 14 that plugged a hole in IE6, IE7 and IE8 that had been exploited since early December 2012.

http://www.computerworld.com/s/article/9242469/Hac...

--
Was this reply relevant?
+4
-1
mogs RE: Microsoft reports IE zero-day attacks
Expert Contributor 18th Sep, 2013 07:53
Score: 2265
Posts: 6,268
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Microsoft Launches Emergency Patch for Internet Explorer
September 18th, 2013, 05:31 GMT · By Bogdan Popa

Microsoft has just released a new security update for Internet Explorer in order to patch a flaw affecting all versions of the company’s in-house browser, including IE11 on Windows 8.1 RTM.

While Microsoft claims that it has received reports of attacks aimed at Internet Explorer 8 and 9, it appears that the security flaw affects all the other versions of the browser.

According to the company, the issue would allow remote code execution, which means that an attacker could get access to an unpatched system by directing users to a compromised website.

“This issue could allow remote code execution if an affected system browses to a website containing malicious content directed towards the specific browser type. This would typically occur when an attacker compromises the security of trusted websites regularly frequented, or convinces someone to click on a link in an email or instant message,” the company explained.

The Fix It tool released by Microsoft can be used for IE6, 7, 8, 9, 10, and 11 on Windows XP, Vista, 7, 8, and 8.1, both Preview and RTM. 32- and 64-bit versions of the operating systems are all included in the security advisory.

In addition, the tech giant recommends users to set Internet and local intranet security zone settings to “High” in order to block ActiveX Controls and Active Scripting in these zones.

“This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption,” Microsoft said.

At the same time, the Softies suggest that it would be a good idea to configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting completely in the Internet and local intranet security zones, just to be sure that everyone is on the safe side and no successful attacks are possible.

http://news.softpedia.com/news/Microsoft-Launches-...


--
Was this reply relevant?
+4
-1
mogs RE: Microsoft reports IE zero-day attacks
Expert Contributor 18th Sep, 2013 19:56
Score: 2265
Posts: 6,268
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Microsoft rushes urgent fix for Internet Explorer
Fix-It update to combat zero-day attacks targeting flaws in Internet Explorer.

By Tony Bradley | PC World | 18 September 13

It's not Patch Tuesday, but Microsoft has released a crucial update for Internet Explorer that you should apply immediately.

Microsoft included a cumulative update for Internet Explorer in the 13 security bulletins that made up Patch Tuesday last week, and that update was considered Critical as well. Since then, though, a new flaw has been targeted by attacks in the wild, so Microsoft has responded with an out-of-band update.

The update from Microsoft is a Fix-It tool, which is more of a stop-gap bandage than an actual patch. Applying the Fix-It will protect Internet Explorer and prevent the currently circulating exploit from working on your systems.

Paul Henry, security and forensic analyst with Lumension, says that there are number of mitigating factors that limit the potential scope of this threat, but those factors may offer little consolation for many users. "The bad news is that this is a very wide-reaching patch, affecting all versions of IE across all operating systems, from XP to RT," he says. "And more bad news: the average user is very susceptible to being hit with this."

Microsoft claims that running Internet Explorer in Enhanced Security Configuration mode prevents this attack. Internet Explorer runs in this restricted mode by default on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

Microsoft states that all supported versions of Outlook, Outlook Express, and Windows Mail include protection by default as well. HTML email messages are opened by default in the Restricted Sites security zone, which disables scripts and ActiveX controls necessary for the exploit to execute.

However, Microsoft cautions that the protection in Outlook only applies to the HTML message within Outlook itself. If a user receives an email with a link and clicks on it, they're still potentially vulnerable because the threat is now Web-based and functioning outside of Outlook.

"The average user does not run the restricted sites mode, are not using the Enhanced Security Configuration and are all-too-willing to click on phishing emails," Henry explains, "I recommend employing the mitigating factors, as well as advising users about this so they will be less likely to click malicious links until you can apply the patch. It's been a while since we've seen an out-of-band patch for IE from Microsoft, but it's still important to apply it as soon as possible."

"It's important to reiterate that ALL versions of IE are affected including the Internet Explorer 11 preview, Tyler Reguly, technical manager of security research and development for Tripwire, says. "Since attacks are occurring now, this is a situation where it's in everyone's best interest for Microsoft to release a patch as soon as possible. In the meantime, install the shim that they've released."

He adds, "For less technical users that aren't comfortable with Microsoft Fix it solutions, using another browser until a patch is available is the best option,"

A couple additional notes: The Fix-It solution only works with 32-bit versions of Internet Explorer, and you must first apply the cumulative update for Internet Explorer from last week's Patch Tuesday (MS13-069).



Read more: http://www.pcworld.com/article/2048912/microsoft-r...


--
Was this reply relevant?
+5
-2
joe schmoe RE: Microsoft reports IE zero-day attacks
Member 19th Sep, 2013 01:59
Score: 41
Posts: 143
User Since: 26th Nov 2008
System Score: 100%
Location: US
Appears Secunia has pulled the zero-day vulnerabilities notifications for all versions of IE for now. Has it been narrowed down to affecting only IE 8 and 9?

--
XP Pro SP3 P4 3.2 HT 2 GB RAM Avast! 9.0.2018 AIS
Win 7 Home Pro SP1 Pentium D 2.8 3 GB RAM Avast 9.0.2018 AIS
Secunia PSI 2.0.0.3003 XP Pro 32-bit & Win 7 H Pro 64-bit
Was this reply relevant?
+0
-0
mogs RE: Microsoft reports IE zero-day attacks
Expert Contributor 19th Sep, 2013 05:31
Score: 2265
Posts: 6,268
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@joe schmoe

If it has been narrowed down...it just seems to be inasmuch that 8 and IE9 have already suffered attacks.

Rgards....mogs

--
Was this reply relevant?
+0
-0
mogs RE: Microsoft reports IE zero-day attacks
Expert Contributor 19th Sep, 2013 05:33
Score: 2265
Posts: 6,268
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
September 18th, 2013, 20:07 GMT · By Bogdan Popa
More Details on Internet Explorer 0-Day Flaw Emerge

Microsoft this morning rolled out a patch to fix a security flaw in Internet Explorer, confirming that a number of attacks aimed at IE8 and IE9 users have indeed been reported.

Wolfgang Kandek, CTO of Qualys, explained in a blog post that attackers are usually trying to exploit the 0-day flaw using compromised websites with JavaScript code, so blocking these pages would be the first step to stay on the safe side.

“The attacker exploits the vulnerability by setting up a malicious webpage which uses JavaScript code to prepare a user-after-free condition, where previously allocated memory, whose content the attacker can control, is accessed after it has been marked as not used anymore,” Kandek explained.

“The exploit depends on a Microsoft Office DLL which has been compiled without Adress Space Layout Randomization (ALSR) to locate the right memory segment to attack, but this DLL is extremely common and most likely will not lower the affected population by much.”

Some attacks have been aimed at Japanese users, Kandek added, but this doesn’t necessarily mean that everybody else is fully protected. As a result, users are recommended to deploy the Fix It tool released by Microsoft as soon as possible and wait for a patch to address the security vulnerability.

http://news.softpedia.com/news/More-Details-on-Int...

--
Was this reply relevant?
+0
-0
taffy078 RE: Microsoft reports IE zero-day attacks
Contributor 19th Sep, 2013 08:27
Score: 408
Posts: 1,352
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Keep up the good work, Mogs. If I hadn't seen this here, I would not have had a clue that there was a problem with IE.

You say that MS have released a patch but a check on this XP/IE8 desktop on their Update site shows nothing - there are no High Priority updates for this PC. Any thoughts?

One of the experts Wolfgang Kandek, CTO of Qualys is quoted as saying "that attackers are usually trying to exploit the 0-day flaw using compromised websites with JavaScript code, so blocking these pages would be the first step to stay on the safe side." For all this means to me - and probably every average PC user - this might well have been written in ancient Greek.

Has anyone a plain english version? Is it in fact something that a average PC user could do?

PS I had to open the forum again to find the quote - when I did, every post had besides it "Deleted - this User no longer exists". I didn't have chance to take a screen print and now, when I try to recreate it (by opening the forum again) all is back to normal. How strange!

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
mogs RE: Microsoft reports IE zero-day attacks
Expert Contributor 19th Sep, 2013 13:28
Score: 2265
Posts: 6,268
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@taffy078

Hi taffy !

It's a Fixit and a reset of some IE configurations....from what I can see of it, that results in a partial fix http://support.microsoft.com/fixit/ then click on IE.
That, and taking good care when browsing should keep safe tho'. Best advice is to use another browser, if you have access to.....until MS issue an out of band patch sometime soon, hopefully.

All versions IE are affected....but it seems IE8/9 have already been hit.

Hope that's clearer for you.....mogs.......

--
Was this reply relevant?
+3
-3
Maurice Joyce RE: Microsoft reports IE zero-day attacks
Handling Contributor 19th Sep, 2013 15:19
Score: 11865
Posts: 9,101
User Since: 4th Jan 2009
System Score: N/A
Location: UK
@taffy078

The simple answer to subscribe to Brian Krebs by RSS feed to get updated on security matters.

It is easy reading for all with no over hype,no ad ware,no tracking cookies & a blog you can subscribe to.

His post on this subject is here plus the link to create an RSS.

http://krebsonsecurity.com/2013/09/microsoft-ie-ze...

which includes a link to the Fix it tool if required with additional details of the CVE.

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=...

which states IE versions 6 - 11 may be affected.

Secunia of course is another source but currently it is virtually impossible to do any meaningful research because of the slowness of their system.

If using the Qualy's Browser checker they produce easy to understand information from the scan result.

https://community.qualys.com/blogs/laws-of-vulnera...

This blog from Microsoft might also help:

http://blogs.technet.com/b/srd/archive/2013/09/17/...

You will note that on initial testing it looks like Joe Schmoe's observation has credibility in that it cannot be reproduced by all browsers & Windows versions.






--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+4
-0
mogs RE: Microsoft reports IE zero-day attacks
Expert Contributor 19th Sep, 2013 19:52
Score: 2265
Posts: 6,268
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
70 percent of business users vulnerable to latest Internet Explorer Zero-Day
By Steve Ragan | CSO | 19 September 13


According to Microsoft, a zero day flaw in Internet Explorer (IE) , which impacts all versions of the browser, is being actively exploited in the wild. Reports of exploitation, according to Microsoft, seem to have criminals focused on IE versions 8 and 9.

We reviewed third-party telemetry feeds from real-time global internet requests to determine the initial scope. While the exploit appears to affect all versions of IE, at the moment attacks only seem to be targeting users of IE8 and IE9 who are running Windows 7 and XP operating systems," Websense's director of security research, Alex Watson, said in a statement.

According to the advisory, Microsoft said that IE installations running on Server 2003, 2008 and 2012 will mitigate the vulnerability due to its installation parameters. Experts have suggested that the scope of the problem is bad enough that Microsoft will likely go out-of-band to release a fix.

"This recently discovered Internet Explorer zero day vulnerability is bad. Users and administrators should take immediate action to mitigate the risk. Considering the timing, I personally expect to see an out of band patch from Microsoft," Rapid7's senior manager of security engineering, Ross Barrett, told CSO.

"All versions of IE are affected, which means that this vulnerability has likely been present since IE 6 was released in 2001. The fact that it is getting attention now is due to either a noticeable volume [of attacks] or impact of active exploitation in the wild. It may have just been discovered last week, or it may have been in the private toolkit of the world's best malware writers for more than a decade. This is as severe as any browser issue can be."

More to read at :-
http://www.pcadvisor.co.uk/news/security/3469694/7...




--
Was this reply relevant?
+3
-0

Maurice Joyce

RE: Microsoft reports IE zero-day attacks
[+]
This reply has been deleted
mogs RE: Microsoft reports IE zero-day attacks
Expert Contributor 23rd Sep, 2013 12:33
Score: 2265
Posts: 6,268
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Security org raises Internet threat level after seeing expanded IE attacks
Gang responsible for Bit9 hack in February responsible for latest attacks exploiting IE 'zero-day,' says FireEye

By Gregg Keizer
September 23, 2013 06:14 AM ET

Computerworld - The Internet Storm Center on Saturday boosted its threat level to "Yellow," indicating a "significant new threat" to Internet users from attacks exploiting an unpatched vulnerability in all versions of Microsoft's Internet Explorer (IE) browser.

"The Internet Storm Center is beginning to see increased evidence of exploits in the wild regarding Microsoft Security Advisory 2887505," the security organization said on its website. "Accordingly, we're moving the InfoCon up to Yellow."

Microsoft's advisory, published Sept. 17, acknowledged that hackers were exploiting Internet Explorer 8 (IE8) and IE9, but added that the vulnerability -- which remains unpatched -- affected all versions of the browser, from the 12-year-old IE6 to the not-yet-released IE11. Microsoft has not said when it will patch the bug, but it has offered protective steps customers can take in the meantime.

The Internet Storm Center's (ISC) update to Yellow was triggered in large part by revelations Saturday by FireEye, a Milpitas, Calif. security company. In a detailed analysis, FireEye outlined a hacker campaign that has targeted Japanese organizations since Aug. 19. The campaign uses exploits of the IE "zero-day" vulnerability to compromise Windows PCs and plant additional malware on those machines.

http://www.computerworld.com/s/article/9242570/Sec...

--
Was this reply relevant?
+3
-0
MehulBhai RE: Microsoft reports IE zero-day attacks
Member 23rd Sep, 2013 15:09
Score: 36
Posts: 12
User Since: 17th Jul 2011
System Score: N/A
Location: IN
Last edited on 23rd Sep, 2013 15:25
Hi Maurice Joyce,
The TechNet Article you mentioned is rather 1 Year old. Please go through it properly.
Was this reply relevant?
+5
-0
Maurice Joyce RE: Microsoft reports IE zero-day attacks
Handling Contributor 23rd Sep, 2013 19:10
Score: 11865
Posts: 9,101
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 23rd Sep, 2013 19:12
Thank you for that - I got info by email from MS & took it at face value - I will redraw it until I can contact the source.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+3
-0
taffy078 RE: Microsoft reports IE zero-day attacks
Contributor 24th Sep, 2013 19:14
Score: 408
Posts: 1,352
User Since: 26th Feb 2009
System Score: 100%
Location: UK
I am paranoid - I'm not using IE except for this post, which is to ask where the heck is the MS patch that was due out last weekend?

Or have I missed something?

PS If every IE user is at risk, does that include anyone using IE to download the MS patch?

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
taffy078 RE: Microsoft reports IE zero-day attacks
Contributor 24th Sep, 2013 19:22
Score: 408
Posts: 1,352
User Since: 26th Feb 2009
System Score: 100%
Location: UK
PS Why doesn't PSI scans pick up the IE problem?

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
mogs RE: Microsoft reports IE zero-day attacks
Expert Contributor 24th Sep, 2013 20:58
Score: 2265
Posts: 6,268
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@taffy078

Hi Taffy.

The risk is mitigated by the Fix it .....and obviously mindfulness re where and what browsing/clicking. ........
I don't quite understand why, either: psi was initially picking up the vulnerability ( 98% and then 97% ) caused by IE9...but sometime later.....tho' I hadn't done the Fix....reverted to giving me a 100%. I presumed at the time they'd had access to additional info.

As time has gone by tho', reports still suggest the risk, if anything, is greater.
I'm not getting too perturbed by it....I would if I were wholly reliant on IE.....It seems to me the safest option is to use another browser wherever possible.

We seem to be somewhere between worrisome reports and some playing the whole thing down.
Perhaps it's more of an industrial than personal user orientated zero day....hence the seeming sometimes conflict in attitudes ?

Regards.....mogs

--
Was this reply relevant?
+0
-0
mogs RE: Microsoft reports IE zero-day attacks
Expert Contributor 24th Sep, 2013 21:26
Score: 2265
Posts: 6,268
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Internet Explorer zero-day attackers linked to Bit9 hackers
By Antone Gonsalves | CSO | 24 September 13
A criminal group exploiting the recently discovered Internet Explorer browser zero-day vulnerability has been linked to the Chinese hackers who compromised the Bit9 security platform earlier this year.

The connection between the two groups is in the command and control infrastructure used, says security vendor FireEye. Within the two infrastructures were similar malware, IP addresses and email addresses used to register domains.

The latest attack, which FireEye has dubbed Operation DeputyDog, appears to target manufacturers, government entities and media organizations in Japan, said Darien Kindlund, manager of FireEye Threat Intelligence. The group hid IE exploits on three Japanese news sites, hoping to compromise visitors' PCs.

The compromised sites recorded more than 75,000 page views before the exploits were discovered. The attackers apparently were casting a wide net in looking for systems belonging to the desired targets. The exploit would have worked on all versions of IE, starting with IE 6.

"Maybe only a fraction of those compromised systems are really their true intended targets," Kindlund said. "The others are considered collateral damage."

Microsoft acknowledged Sept. 17 that there was a previously unknown vulnerability in IE that was being exploited by cybercriminals on the Internet. The attack in Japan was discovered two days after Microsoft disclosed the flaw, which enables criminals to execute code on victims' computers.

Researchers have said that nearly 70 percent of Windows business users are open to attack. The threat is serious enough that experts believe Microsoft will release a fix before its scheduled monthly patch release set for Oct. 8.

Bit9 revealed in February that its code-signing certificates had been stolen, making it possible for the thieves to bypass the vendor's security platform and run malware on customer's systems.

The certificates are used to identify trusted applications on customers' whitelists of approved software. The hackers apparently figured out a way to go around this normally effective system by going after the vendor first.

In a report released last week, Symantec identified the Bit9 attackers, dubbed the Hidden Lynx group, as a professional team of hackers for hire who have operated since at least 2009.

The group is able to run multiple campaigns at once and has breached some of the "world's best-protected organizations," Symantec said. The infrastructure and tools used by the hackers originate from network infrastructure in China.

The hackers typically use Trojans designed specifically for a pay-to-order attack to steal intellectual property.Ã'Â

http://www.pcadvisor.co.uk/news/security/3470426/i...

--
Was this reply relevant?
+0
-0
mogs RE: Microsoft reports IE zero-day attacks
Expert Contributor 27th Sep, 2013 16:32
Score: 2265
Posts: 6,268
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
IE zero-day actively being exploited in the wild: Rapid7
Summary: Criminals are actively abusing the zero-day vulnerability found in Internet Explorer, with exploit code now being found in the wild.

By Michael Lee | September 27, 2013 -- 05:43 GMT (06:43 BST)

Businesses running Internet Explorer should consider taking better precautions now that code to exploit a recently discovered zero-day vulnerability in the browser is making the rounds.

According to Rapid7 senior engineering manager Ross Barrett, exploit code is now being widely distributed on the web. He said that earlier this week, he saw exploit code submitted to Virus Total and Scumware.

Attackers typically exploit weaknesses in websites, for example, taking advantage of out-of-date WordPress implementations to upload their own content to servers. Then, through spam or phishing campaigns, herd unsuspecting users to these "drive-by" sites, which in turn exploit the users directly.

These sites eventually get reported to services like Virus Total and Scumware to help others identify them as malicious. But they also have the secondary effect of being good indicators of how well known a certain exploit is.

Barrett claims that with the high incidence of reports, the zero day is "about to become [as] severe as any browser issue can be".

He said that exploitation seems to only be limited to versions 8 and 9 of the browser, even though all versions at this point are vulnerable.

According to StatCounter, for the year thus far, Internet Explorer 8 and 9 represent 20.15 percent of all browsers. Including all versions of Internet Explorer puts its market share at 27.98 percent.

Barrett suggests that users simply not use Internet Explorer to avoid exposing themselves to unnecessary risk. For those that must, he said they should install all patches and upgrade to the latest version, even though he admits that neither action will do much to directly mitigate the vulnerability at this time.

The vulnerability was reported by Microsoft in mid September, but details on it only emerged earlier this week. It is alleged that attackers have already been using the vulnerability to target Japanese organisations.

http://www.zdnet.com/ie-zero-day-actively-being-ex...

--
Was this reply relevant?
+0
-0
mogs RE: Microsoft reports IE zero-day attacks
Expert Contributor 27th Sep, 2013 21:09
Score: 2265
Posts: 6,268
User Since: 22nd Apr 2009
System Score: 100%
Location: UK

IE zero-day vulnerability exploited more widely than previously thought
Security researchers identified attacks that exploited the vulnerability to target organizations in Taiwan since at least July

By Lucian Constantin | 27 September 13

A recently announced and yet-to-be-patched vulnerability that affects all versions of Microsoft Internet Explorer (IE) has been exploited in targeted attacks against organizations in Taiwan since the beginning of July, according to security researchers.

Microsoft published a security advisory about the vulnerability, which is identified as CVE-2013-3893, on Sept. 17 and warned users that it is "aware of targeted attacks that attempt to exploit this vulnerability in Internet Explorer 8 and Internet Explorer 9.
The company released a Microsoft "Fix it" workaround that customers can manually download and install in order to mitigate the vulnerability. However, no patch has yet been released through Windows Update.
On Saturday, researchers from security firm FireEye reported that a known hacker group has been using the vulnerability to target organizations in Japan as part of an attack campaign dubbed "Operation DeputyDog" that started on Aug. 19. They believe that this is the same group that managed to break into the computer network of security firm Bit9 as part of a different attack campaign in February and used one of its systems to digitally sign several pieces of malware.
New evidence found by researchers from security firms Websense and AlienVault suggests that the new IE zero-day -- yet unpatched -- vulnerability was also used to target organizations in Taiwan.
On Sept. 25, Websense detected an attack against one of its customers -- a major financial institution from Japan -- that was using an exploit for CVE-2013-3893. When they investigated the incident, they found that the exploit code was hosted on a server based in Taiwan and the malware installed by the exploit was calling back to a command-and-control domain name registered in March.
Looking at past telemetry data, they identified a potential victim organization in Taiwan that was communicating with the same command and control server as far back as July 1, 2013.
"These C&C communications predate the widely reported first use of this attack infrastructure by more than six weeks, and indicates that the attacks from this threat actor are not just limited to Japan," the Websense researchers said Thursday in a blog post. These older attacks are most likely linked to Operation DeputyDog, but they have enough variations to indicate that different high-profile attack teams may be using the same tool sets, they said.
Security researchers from AlienVault also believe that the new IE vulnerability was used to attack organizations in Taiwan, because they found a variant of the exploit hosted on a subdomain of Taiwan government's online e-procurement system.
Users who visit the main website for the first time will get redirected to the exploit page, AlienVault researcher Jaime Blasco said in a blog post.
The vulnerability affects all versions of Internet Explorer, but the exploits seen so far target only Internet Explorer 8 and 9 running on Windows XP and Windows 7 systems. Websense estimates that nearly 70 percent of Windows-based PCs are vulnerable.

http://www.pcadvisor.co.uk/news/security/3471090/i...

--
Was this reply relevant?
+0
-0
mogs RE: Microsoft reports IE zero-day attacks
Expert Contributor 2nd Oct, 2013 05:33
Score: 2265
Posts: 6,268
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Public release of IE exploit could spark widespread attacks
Exploit module for yet-to-be-patched Internet Explorer vulnerability added to Metasploit

By Lucian Constantin
October 1, 2013 01:19 PM ET

IDG News Service - An exploit for a vulnerability that affects all versions of Internet Explorer and has yet to be patched by Microsoft has been integrated into the open-source Metasploit penetration testing tool, a move that might spur an increasing number of attacks targeting the flaw.

The vulnerability is known as CVE-2013-3893 and was announced by Microsoft on Sept. 17 after the company became aware of its use in targeted attacks. The company released a temporary "Fix It" tool that customers can download and install to address the flaw, but no permanent patch has been released through Windows Update.

The vulnerability affects all versions of Internet Explorer and can be exploited to execute arbitrary code on computers when IE users visit a specially crafted Web page hosted on a malicious or compromised website.

Security researchers have issued warnings about ongoing attack campaigns that have been using the vulnerability to target organizations in Japan and Taiwan since late August or even July, according to some reports.

Since August 29, when an exploit for this vulnerability was first detected as part of an attack dubbed "Operation DeputyDog," the exploit was adopted by at least two more APT (advanced persistent threat) groups and used in targeted attacks, according to a new report by researchers from security firm FireEye.

On Monday, exploit developer and Metasploit contributor Wei Chen released a CVE-2013-3893 exploit module for the popular penetration testing tool. Chen noted that the module is based on the exploit code that's already being used by attackers.

The inclusion of the exploit in Metasploit is significant, because while this tool is primarily aimed at security professionals, cybercriminals have made a habit of borrowing exploits from it and using them in their own attacks.

"As long as cybercriminals get access to the exploit code made publicly available we will see instances of the exploit being use by regular cybercriminals and probably we will find the exploit in some of the most famous Exploit Kits," said Jaime Blasco, manager of the research team at security firm AlienVault, Saturday via email. "I'm sure if Metasploit includes this exploit we will see an increase on widespread exploitation."

The exploit kits Blasco refers to are commercial crimeware tools like Black Hole that are available to a large number of cybercriminals and which are generally used in attacks that have a much wider scope than APT campaigns.

It's highly possible that the exploit is already being used as part of such exploit kits, said Metasploit engineering manager Tod Beardsley, Tuesday via email. The exploit used in the new Metasploit module was obtained from existing attacks and there are similarities between it and prior exploits known to be used in such tools.

In particular, the exploit contains system fingerprinting code that's not actually used, which suggests the original author is at least familiar with prior exploits found in exploit packs, Beardsley said.

According to Chen, the junk fingerprinting code appears to have been reused in various exploits since at least 2012.

Microsoft's next batch of security updates is scheduled for Oct. 8, but it's not clear if the company will issue a permanent patch for this particular vulnerability at that time.

Beardsley hopes it will. "The Fix It is effective, so I hope it would be straightforward to patch properly," he said.

http://www.computerworld.com/s/article/9242875/Pub...

--
Was this reply relevant?
+0
-0
mogs RE: Microsoft reports IE zero-day attacks
Expert Contributor 4th Oct, 2013 04:36
Score: 2265
Posts: 6,268
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Microsoft to patch zero-day IE bug now under attack
Eight updates will plug holes in IE, Windows, Office, SharePoint and Silverlight


By Gregg Keizer
October 3, 2013 04:00 PM ET
Computerworld - Microsoft today said it will ship eight security updates next week to patch critical vulnerabilities in Windows and Internet Explorer (IE), with the one aimed at IE plugging the hole attackers have been exploiting for months.

"The Critical update for Internet Explorer will be a cumulative update which will address the publicly disclosed issue described in Security Advisory 2887505," confirmed Dustin Childs on the Microsoft Security Response Center (MSRC) blog today.

Security experts identified the IE update as the one to deploy first, citing the fact that one of the vulnerabilities has been used by cyber criminals in targeted attacks against users in Japan and Taiwan.

"IE is always top of the list," said Andrew Storms, director of DevOps at cloud security vendor CloudPassage, in an interview today.

On Sept. 17, Microsoft confirmed that hackers were exploiting a critical unpatched vulnerability in Internet Explorer 8 (IE8) and Internet Explorer 9 (IE9). The bug, however, existed in all versions of the browser, including the 12-year-old IE6 and the newest IE11.

Over the next two weeks, security companies reported that attacks had been aimed at Japanese and Taiwanese organizations since July. And earlier this week, exploit code went public as a working module was added to the open-source Metasploit penetration framework. Researchers predicted that the Metasploit appearance would result in an increase in attacks as less-capable hackers copied the code and added it to their weaponized toolkits.

"Once it went into Metasploit, I anticipated an early release of a patch by Microsoft," said Storms today. "Obviously the patch is done, but Microsoft's and its partners' telemetry must have shown that there were no reasons to go out-of-band."

Historically, Microsoft has issued "out-of-band" updates -- those outside the normal monthly release schedule -- only when it believes large numbers of its customers are at risk. The company has never publicly disclosed how it decides when to ship an out-of-band security update.

The early date of October's Patch Tuesday -- always the second Tuesday of the month -- may have played a part in Microsoft's decision to hold the update and not go out-of-band, Storms said.

The IE update was just one of four rated "critical" by Microsoft. The remaining three critical updates were all aimed at Windows, including one that applied to the newest Windows 8, Windows RT, Windows 8.1 and Windows RT 8.1, according to Microsoft's advanced notification distributed today.

Experts recommended that customers install the Windows updates as soon as possible after their release. "Bulletins 2 and 3 are through the stack and might end up rating more attention than the IE update," warned Storms.

Microsoft said Bulletin 3 did not affect Windows 8.1 or Windows RT 8.1, but that Bulletin 2 did.

The other four updates will patch vulnerabilities in Excel, other pieces of Office, the SharePoint collaboration server software and Silverlight, a media format Microsoft seems to have discarded or at least isn't interested in developing further.

Because the Office-related vulnerabilities were ranked as "important" even though Microsoft said hackers could exploit them to plant malware on customers' PCs, Storms said it was probable that any attack code required considerable user interaction to work, such as downloading files, opening shared folders or clicking through multiple warnings.

"Being exploited via a drive-by is not going to happen," said Storms, referring to the most dangerous attacks, which only require a user to visit a malicious website to trigger exploits.

Microsoft will release next week's security updates on Oct. 8 around 1 p.m. ET.

http://www.computerworld.com/s/article/9242950/Mic...

--
Was this reply relevant?
+0
-0
SOMARLIdR RE: Microsoft reports IE zero-day attacks
Member 6th Oct, 2013 18:14
Score: 5
Posts: 3
User Since: 9th Sep 2013
System Score: N/A
Location: ES
Hope they do it on October 8 finally, time is passing, it is highly possible Chinese hackers put several backdoors in our systems over this weekend :)
Was this reply relevant?
+0
-0
mogs RE: Microsoft reports IE zero-day attacks
Expert Contributor 7th Oct, 2013 16:43
Score: 2265
Posts: 6,268
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Last edited on 7th Oct, 2013 17:00
Internet Explorer Not a Safe Choice Right Now, Expert Says

October 7th, 2013, 13:15 GMT · By Bogdan Popa

An unpatched vulnerability in Internet Explorer would allow an attacker to take control of a vulnerable computer, with the flaw said to exist in basically all versions of the browsers.

New reports claim that the public exploit is now being used by more and more hackers, with Microsoft only planning to release the fix this week as part of the Patch Tuesday cycle.

But as far as Ken Pickering, director of engineering at CORE Security, is concerned, users should really stay away from Internet Explorer until this patch is delivered.

"Realistically, people should avoid using IE if possible until the patch for this fix is released," he told eWeek.

"I personally believe in responsible release of exploits, giving the vendor time to appropriately patch the problem rather than making the situation even worse by giving unskilled attackers the capability to abuse this zero-day. Even in this case where the exploit is publicly disclosed, including it in any framework before Microsoft has had a chance to roll something out can potentially make the situation much worse."

The patch will be delivered to IE users tomorrow using the same Windows Update tool, so make sure you install the available fixes as soon as possible.

http://news.softpedia.com/news/Internet-Explorer-N...


--
Was this reply relevant?
+0
-0
mogs RE: Microsoft reports IE zero-day attacks
Expert Contributor 8th Oct, 2013 23:18
Score: 2265
Posts: 6,268
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Microsoft patches 28 vulnerabilities, including zero-day
Summary: October's patches are described in eight bulletins and address problems in Windows, Office, SharePoint Server, Silverlight, and Internet Explorer. One of the IE bugs has been exploited in the wild for some time now.

Larry Seltzer
By Larry Seltzer for Zero Day | October 8, 2013 -- 18:14 GMT (19:14 BST)

Microsoft on Tuesdau released patches for 28 vulnerabilities in numerous products. The most important ones for most users fix serious vulnerabilities in Internet Explorer, Windows and the .NET Framework.

Here is a breakdown of the bulletins and what they address.

MS13-80 (Critical): Cumulative Security Update for Internet Explorer (2879017) This is a cumulative update for Internet Explorer which addresses 10 vulnerabilities, one of which is a zero-day vulnerability in the wild for over a week. (Microsoft had provided a Fix-It as an interim measure.)

MS13-81 (Critical): Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2870008) - This update fixes 7 vulnerabilities reported by outside researchers. One could allow complete system compromise when the user views maliciously-constructed OpenType fonts, and another for TrueType fonts. The other 5 are privilege escalation bugs. All versions of Windows other than 8.1, 8.1 RT and Server 2012 R2 are affected.

MS13-82 (Critical): Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2878890) — This describes 3 vulnerabilities in most versions of the .NET Framework. The one critical vulnerability is the same OpenType parsing bug in MS13-081.

MS13-83 (Critical): Vulnerability in Windows Common Control Library Could Allow Remote Code Execution (2864058) — A vulnerability in Windows can be exploited through an ASP.NET web application running on it.

MS13-84 (Important): Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2885089)

MS13-85 (Important): Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2885080)

MS13-86 (Important): Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2885084)

MS13-87 (Important): Vulnerability in Silverlight Could Allow Information Disclosure (2890788)

This month marks 10 years of Patch Tuesdays.

http://www.zdnet.com/microsoft-patches-28-vulnerab...

--
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
 
Secunia © 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+