IE Zero-Day Vulnerability Exploiting msvcrt.dll
FireEye Labs has discovered an "exploit that leverages a new information leakage vulnerability and an IE out-of-bounds memory access vulnerability to achieve code execution." [1] Based on their analysis, it affects IE 7, 8, 9 and 10.
According to Microsoft, the vulnerability can be mitigated by EMET.[2][3] Additional information on FireEye Labs post available here.
Update: FireEye Labs provided additional information on the recently discovered IE zero-day exploit that is currently in the wild and has been named Trojan.APT.9002 (aka Hydraq/McRAT variant). They have published additional information on the Trojan that only runs in memory and leave very little artifacts that can help identify infected clients. Additional information about the Trojan can be found here which also includes a list of domains, MD5 hash and User-Agent information.
Update 2: Microsoft is releasing tomorrow a fix for this vulnerability (CVE-2013-3918) affecting Explorer ActiveX Control as "Bulletin 3" as MS13-090 listed in the November Microsoft Patch Tuesday Preview.
[1] http://www.fireeye.com/blog/technical/2013/11/new-ie-zero-day-found-in-watering-hole-attack.html
[2] https://isc.sans.edu/forums/diary/EMET+40+is+now+available+for+download/16019
[3] http://www.microsoft.com/en-us/download/details.aspx?id=39273
[4] http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html
[5] http://blogs.technet.com/b/msrc/archive/2013/11/11/activex-control-issue-being-addressed-in-update-tuesday.aspx
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
Comments
Anonymous
Nov 9th 2013
1 decade ago
Anonymous
Nov 10th 2013
1 decade ago
Anonymous
Nov 10th 2013
1 decade ago
Says that the actor here knew the vuln was about
to be patched, that it's value therefore had dropped
to "throwaway," and they used it for targets where
the risk of discovery was high.
Same is true of CVE-2013-1690 that the FBI used to
unmask TOR users. The patch was already in the
general Firefox distribution when the exploit was
deployed against the not-yet updated TBB
derivative Firefox.
More about that here
https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html
Anonymous
Nov 12th 2013
1 decade ago