Microsoft swatted a recently-discovered, zero-day bug being used in a watering hole attack as part of this month’s Patch Tuesday update.
The flaw, CVE-2013-3918, is a remote code execution vulnerability the InformationCardSigninHelper ActiveX component used by Internet Explorer. The issue was already set to be fixed in MS13-090 before FireEye discovered it, explained Dustin Childs, group manager of response communications for Microsoft Trustworthy Computing.
According to Microsoft, the attack in the wild is targeting IE 7 and IE 8 on Windows XP. The exploit being used by the attackers actually combines two distinct vulnerabilities. In addition to the remote code execution bug, there is also an information disclosure vulnerability used as well to improve the reliability of the exploit and to create ROP (return-oriented programming) payloads specifically targeted for the victim’s machine.
“The information disclosure vulnerability does not allow remote code execution and so it has a lower security rating since it will be typically used in combination with other high-severity bug (like it happened with CVE-2013-3918) to improve effectiveness of exploitation,” blogged Elia Florio of Microsoft’s Security Response Center Engineering team. “Also, this vulnerability requires attackers to have prior knowledge of path and filenames present on targeted machines in order to be successfully exploited. This vulnerability was not used to bypass ASLR, but simply to remotely determine the exact version of a certain DLL on disk in order to build a more precise ROP payload.”
“We are still investigating the impact and root cause of the information disclosure vulnerability and we may follow up with additional information and mitigations as they become available,” Florio added.
According to FireEye, the attack has a link to the infrastructure used in Operation DeputyDog, which began in August and has targeted organizations in Japan. The attack’s payload is a variant of Hydraq/McRAT that FireEye is calling Trojan.APT.9002.
While Microsoft closed the door on this particular zero-day, today’s Patch Tuesday did not include a fix for an unrelated zero-day vulnerability affecting the Microsoft graphics component affecting certain versions of Windows, Office and Lync. The company did however release a total of eight security bulletins, including three rated ‘critical’. Those three include not only the ActiveX vulnerability mentioned above, but also critical vulnerabilities affecting the Windows Graphic Device Interface and Internet Explorer.
“Among the (IE) vulnerabilities, there are two information disclosure bugs and eight memory corruption issues that enable remote code execution–two of which (CVE-2013-3915 and CVE-2013-3917) affect every supported version of Internet Explorer,” explained BeyondTrust CTO Marc Maiffret. “These were all privately reported, with no known exploitation occurring in the wild. Typical exploitation scenarios will include attackers creating a malicious web page and convincing users to view the page, enabling the attackers to execute arbitrary code on the victims’ machines. Because every version of Internet Explorer is affected, it is highly recommended that this patch be rolled out as soon as possible.”
“The next bulletin, MS13-089, fixes a vulnerability in GDI, which affects every supported version of Windows from XP to Windows 8.1,” he added. “To exploit this vulnerability, attackers need to create a malicious file and convince users to open it in WordPad. So while this is not as simple as a browse-and-get-owned scenario offered by MS13-088, it is still potent, due to the fact that it affects every version of supported Windows. Administrators should deploy this patch out as soon as possible.”
The remaining bulletins address issues in Microsoft Office, Outlook and Windows.