Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Second Internet Explorer Zero-Day Patched by Microsoft Used in Campaign Against IE8 Users

Security researchers say a previously undisclosed Internet Explorer zero-day patched by Microsoft this week has been actively used in targeted attacks since at least September.

Security researchers say a previously undisclosed Internet Explorer zero-day patched by Microsoft this week has been actively used in targeted attacks since at least September.

The vulnerability – CVE-2013-3897 – is a use-after-free vulnerability issue in CDisplayPointer triggered with the onpropertychange event handler. According to Microsoft, the exploit was designed to target only Internet Explorer 8 on Windows XP for Korean and Japanese language-based users.

The vulnerability was one of 10 addressed in an Internet Explorer update released Tuesday as part of MS13-80. It was one of two zero-day bugs affecting the browser that were plugged in the update. The other, CVE-2013-3893, was already seen being leveraged in attacks.

“The attacks were served by directly browsing to raw IP addresses and were spotted served by selected IP addresses in the network range of 1.234.31.x/24, which is geolocated in the Republic of Korea,” according to Websense’s Security Labs. “The attack lure pages (starting point of the exploit chain) on that network range share the same URL patterns and they all consist of the URL structure <x.x.x.x>/mii/guy2.html.”

 “We also spotted that a URL with that same structure on the same network range was used to serve an older and disclosed exploit for Internet Explorer CVE-2012-4792 also in a low-volume and targeted way,” the researchers continued. “Those attacks were launched at the end of August this year.”

Advertisement. Scroll to continue reading.

According to Trustwave’s SpiderLabs, the attacker uses navigator.userLanguage to identify the end-user machine’s language, and if that language is not Korean or Japanese, the JavaScript redirects the page to google.com and terminates the attack on that machine. The same is true if the machine is not running IE 8 on Windows XP.

The malicious payload is responsible for several malicious activities, explained SpiderLab’s Daniel Chechik.

“It attempts to disable any security products that may be running on the victim machine, redirects banking sites to a malicious IP address and tries to steal credentials for popular on-line games,”
he blogged. “The various techniques used indicate that this payload is not meant for any targeted scenario but instead will simply try to target any Korean or Japanese users it stumbles upon.”

According to Websense, the exploit has been hosted on servers in Seoul, South Korea, and has been seen targeting computers there as well as in Hong Kong and the United States.

“As observed in both exploits, attackers are able to target previous versions of Internet Explorer on older platforms where all the newest mitigations are not available or not enabled by default,” blogged Elia Florio of Microsoft Security Response Center’s Engineering team. “As such, we advise users, to install and use the latest versions of Internet Explorer on modern Windows in order to raise exploitation challenges for attackers and have better defense. For more information about the impact of software mitigations on patterns of vulnerability exploitation, Microsoft released recently a whitepaper that can help to understand the role of software mitigations and exploitation strategies of attackers.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

CISA has appointed Jeff Greene as Executive Assistant Director for Cybersecurity and Trent Frazier as Assistant Director for Stakeholder Engagement.

David Chétrit has been appointed the CEO of Kudelski Security.

More People On The Move

Expert Insights