Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: New IE zero-day attack reported

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Open Discussions

This thread has been marked as resolved.
mogs New IE zero-day attack reported
Expert Contributor 9th Nov, 2013 15:58
Ranking: 2265
Posts: 6,266
User Since: 22nd Apr, 2009
System Score: 100%
Location: UK
Last edited on 9th Nov, 2013 15:59

Summary: Security company FireEye has found a zero-day exploit in Internet Explorer hosted on a breached web site in the United States. EMET may be used to mitigate.

Larry Seltzer
By Larry Seltzer for Zero Day | November 9, 2013 -- 14:43 GMT


Researchers at network security company Fireeye have identified a zero-day exploit of Internet Explorer on a breached web site.

The specific exploit targets the English versions of Internet Explorer 7 and 8 on Windows XP and IE8 on Windows 7. FireEye says their analysis indicates that the vulnerability behind it affects IE 7, 8, 9 and 10.

FireEye does not say if IE10 on Windows 8 is affected or if they examined IE11.

There are two vulnerabilities involved in the attack: the first is an information disclosure vulnerability which the exploit uses to retrieve the timestamp from the PE headers of msvcrt.dll (part of the Microsoft Visual C++ runtime). The second is an IE out-of-bounds memory access vulnerability, used to achieve code execution.

Many versions of msvcrt.dll are in distribution, so the exploit sends the timestamp back to the attacker's server, which returns an out-of-bounds exploit specific to the user's version.

The exploit contains a "ROP chain" according to FireEye. ROP is Return-Oriented Programming, a technique generally blocked by Address Space Layout Randomization (ASLR), introduced in Windows Vista (a version of Windows unmentioned by FireEye). That the exploit works on Windows XP is no surprise, but for it to work on Windows 7 is more unusual.

The report doesn't say much about the payload, other than that it is large and multi-stage.

FireEye is in working with Microsoft on researching the attack. The report says that the vulnerability can be mitigated using Microsoft's Enhanced Mitigation Experience Toolkit (EMET) 4.0, presumably focusing on msvcrt.dll. Be careful, as you will likely have multiple copies of multiple versions of this DLL on your system.

http://www.zdnet.com/new-ie-zero-day-attack-report...

--

Post "RE: New IE zero-day attack reported" has been selected as an answer.
ddmarshall RE: New IE zero-day attack reported
Dedicated Contributor 9th Nov, 2013 21:12
Score: 1198
Posts: 954
User Since: 8th Nov 2008
System Score: 98%
Location: UK
If anyone wants to use EMET to mitigate this, they would need to add iexplore.exe to the protected applications. EMET does not operate at the DLL level. The sample 'Recommended Software' profile includes Internet Explorer.

The ROP mitigations in EMET 4.0 seem to break more applications than previous releases. The sample 'Popular Software' profile caused Photo Gallery and SkyDrive desktop application to crash on my Windows 7 Professional 32bit system.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+0
-0
mogs RE: New IE zero-day attack reported
Expert Contributor 12th Nov, 2013 00:30
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@ddmarshall

Do you notice any differences regarding speed/performance when using EMET ? Have you used it with Vista ?
I'm just wondering whether to try it....I havn't got Adobe, Java....other than already in Chromes....IE9 I don't use much.....any info/advice I'd be glad of.....thanks.....regards.....mogs.......

--
Was this reply relevant?
+0
-0
mogs RE: New IE zero-day attack reported
Expert Contributor 12th Nov, 2013 00:43
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
November 11th, 2013, 13:17 GMT · By Bogdan Popa
Internet Explorer Zero-Day Flaw Exposes Windows 7, XP Users

FireEye Labs has discovered a new security flaw in Internet Explorer, warning that users of both Windows XP and Windows 7 are vulnerable to attacks when visiting a compromised website.

Researchers at the security company FireEye said that cybercriminals were trying to exploit two different vulnerabilities in their attacks, explaining that Internet Explorer users on both Windows XP and Windows 7 were exposed when loading a malicious website.

First of all, Internet Explorer has an information disclosure vulnerability used to “retrieve the timestamp from the PE headers of msvcrt.dll,” according to the company.

“The timestamp is sent back to the attacker’s server to choose the exploit with an ROP chain specific to that version of msvcrt.dll. This vulnerability affects Windows XP with IE 8 and Windows 7 with IE 9,” it noted.

The second one is a memory access vulnerability that’s aimed at the English versions of IE7 and 8 on Windows XP and on Windows 7.

“This exploit has a large multi-stage shellcode payload. Upon successful exploitation, it will launch rundll32.exe (with CreateProcess), and inject and execute its second stage (with OpenProcess, VirtualAlloc, WriteProcessMemory, and CreateRemoteThread). The second stage isn’t written to a file as with most common shellcode, which usually downloads an executable and runs it from disk,” FireEye also mentioned in a security advisory.

Microsoft will most likely skip this new zero-day flaw on Patch Tuesday, as it doesn’t have the time to prepare such an update, but FireEye says that it’s already working with Redmond on addressing these new vulnerabilities.

It turns out however that cybercriminals are already using the zero-day to launch attacks, as the same security company warns that there are signs that Operation DeputyDog was based on a similar scheme exploiting an Internet Explorer flaw.

“The attackers loaded the payload used in this attack directly into memory without first writing to disk – a technique not typically used by advanced persistent threat (APT) actors. This technique will further complicate network defenders’ ability to triage compromised systems, using traditional forensics methods,” the company noted.

We’ve reached out to Redmond to find more information on this, so we’ll update the article as soon as we get an answer.

http://news.softpedia.com/news/Internet-Explorer-Z...

--
Was this reply relevant?
+0
-0
ddmarshall RE: New IE zero-day attack reported
Dedicated Contributor 12th Nov, 2013 13:01
Score: 1198
Posts: 954
User Since: 8th Nov 2008
System Score: 98%
Location: UK
I've used EMET 3.0 with Vista. EMET 3.0 will be available on Microsoft Download until EMET 5.0 is released.

On Vista, I found an incompatibility with Trusteer Rapport. Internet Explorer would not start until some Rapport settings were changed. I can't remember what the settings were offhand. I don't install Rapport these days.

I've not noticed any performance hit from using EMET. It uses the Application Compatibility frame work to load its code when the application is started. It does things like forcing address space randomisation and pre-allocating storage to prevent heap spraying. Before the ROP mitigations in EMET 4.0 it wasn't really doing that much once the program was running.
Have a look at the forum to see the type of problems that can crop up.
http://social.technet.microsoft.com/Forums/securit...


The IE zero day seems to be addressed in today's updates
http://blogs.technet.com/b/msrc/archive/2013/11/11...

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+5
-0
mogs RE: New IE zero-day attack reported
Expert Contributor 12th Nov, 2013 15:32
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@ddmarshall

After I'd posted to you last night, I decided to take another look at the EMET download.....watched the Dustin C. Child's explanatory video....tho' it seemed to pertain more to EMET 3.0....Read thro' all the info on there again....decided to jump right in ! Downloaded EMET 4.0....it was a much less complex procedure than was outlined.....and for the time being, have set it to look after itself.

Following that.....tho' my .Net Framework 4.0 had been showing up to date.....I was required to install extra security updates to it, along with three others rated Important. All did not go well, but succeeded after a few hours....having installed, after about four tries ! Needless to say, it's me that's the worse for wear today !! Secunia is showing a happy green too !!

So far so good....no hiccoughs apparent.....Have noted your comments and will look thro' the forum link you kindly provided as I familiarize myself with the workings of it over the coming days. Thankyou.

Yes....the zero-day is to be addressed....will post regarding it after this.......regards....mogs.

--
Was this reply relevant?
+0
-0
mogs RE: New IE zero-day attack reported
Expert Contributor 12th Nov, 2013 15:39
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Microsoft to patch Internet Explorer ActiveX Control zero-day vulnerability
by Alastair Stevenson
12 Nov 2013

Microsoft has released a fix for an ActiveX Control critical vulnerability in its Internet Explorer (IE) browser that was being targeted by an advanced watering hole attack.
Microsoft Trustworthy Computing (TwC) group manager of response communications Dustin Childs confirmed the fix in a post on the company's Security Response Center blog.
"The security update will be distributed to customers tomorrow [Tuesday 12 November] via Windows Update at approximately 10am PDT [6pm GMT]. Customers who have Automatic Updates enabled will not need to take any action to receive the update," read the post.
The IE vulnerability was discovered by security firm FireEye earlier in November. The vulnerability is known to have been targeted with an advanced watering hole attack. Watering hole attacks are scams that see hackers turn websites commonly visited by their intended victim into malware-distribution tools.
The attack is significant as it was able to put malware directly onto a computer's memory without first writing it to the hard disk. The execution made it more difficult for companies to check whether their systems had been compromised by the malware using traditional techniques.
Childs called for businesses to take temporary protective measures while they wait for the full fix. These include setting the company's internet and local intranet security settings to high, configuring IE to send a prompt before running Active Scripting or disabling Active Scripting completely and deploying Microsoft's Enhanced Mitigation Experience Toolkit (EMET).

The IE vulnerability discovery comes during a reported boom in cyber attacks. Microsoft released a workaround fix for vulnerabilities in Microsoft's Lync, Office and Windows Server earlier in November, and it is now building a full patch.
The severity of the threat posed by hackers has led many companies to call for increased collaboration between security vendors. Symantec pledged to create a centralised information-sharing big data hub to help customers spot targeted attacks in October.

http://www.v3.co.uk/v3-uk/news/2306421/microsoft-t...

--
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability