“There is no delight in owning anything unshared.”

Cyberattacks December 2012 – New Internet Explorer Zero-Day

IE Zero Days in the wild: This vulnerability had been tracked under CVE-2012-4792

Marc Whitten

The zero-day was first disclosed by a US based network security company on December 28, 2012 during an investigation on Council on Foreign Relations (CFR)’s website compromise. In the security advisory released on December 29, Microsoft had confirmed that Internet Explorer 6, 7 and 8 are vulnerable to this zero-day attack. The company expects to issue a fix within the next few days.

Internet-based sources revealed this attack is targeting on Internet Explorer which configured for English (U.S.), Chinese (China), Chinese (Taiwan), Japanese, Korean, or Russian. Moreover, it will only target on Internet Explorer with Adobe Flash installed. In this attack, Adobe Flash is used to generate a heap spray attack against Internet Explorer. The consequence of this attack is allowing arbitrary code execution under the context of the user.

Zero Days

Zero Days Exploits Explanation with Graph by Trend Micro 

How do attackers exploit this vulnerability?

Attackers make use of several components in order to successfully exploit IE. These include a malicious HTML file, a malicious .SWF file, and triggering a malicious .EXE as a final payload. When users connect to a compromised website, the malicious HTML file or exploit.html (HTML_EXPDROP.II) serves as the entry point of the attack. It creates multiple instances of the image element (array) in the document, or the current Web page. All of these set the value of src to string “a”. These values are stored in the heap memory. A heap refers to an area of pre-reserved memory that a program can use to store data in some variable amount.

What are other repercussions of unpatched systems?

Exploits generally allow attackers to drop or load malware that downloads other, more menacing malware onto vulnerable or unpatched systems. But even an up-to-date computer can be vulnerable to attacks through zero-day vulnerabilities. Zero-day exploits are more dangerous in nature as they target vulnerabilities that have yet to be resolved by the respective software vendors. Until the software vendor issues a workaround solution, i.e., a fix tool or the actual software update, users are left unprotected and vulnerable to threats.

Advisories:

  1. Upgrade your Internet Explorer to version 9 or later. Microsoft confirmed that Internet Explorer 9 and 10 are not affected.
  2. If you have no choice but to use Internet Explorer version 8 or lower, you can block the attack by: Disabling Javascript and Flash
  3. Install The Enhanced Mitigation Experience Toolkit (EMET) and enable it to protect Internet Explorer.  http://support.microsoft.com/kb/2458544
  4. Be wary before clicking on links received from known/unknown sources. An attacker would have to convince the user to exploit this vulnerability, typically by getting them to click on malicious URL through email, instant messenger message, social network, etc.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s