Security Experts:

Connect with us

Hi, what are you looking for?



Second Internet Explorer Zero-Day Patched by Microsoft Used in Campaign Against IE8 Users

Security researchers say a previously undisclosed Internet Explorer zero-day patched by Microsoft this week has been actively used in targeted attacks since at least September.

Security researchers say a previously undisclosed Internet Explorer zero-day patched by Microsoft this week has been actively used in targeted attacks since at least September.

The vulnerability – CVE-2013-3897 – is a use-after-free vulnerability issue in CDisplayPointer triggered with the onpropertychange event handler. According to Microsoft, the exploit was designed to target only Internet Explorer 8 on Windows XP for Korean and Japanese language-based users.

The vulnerability was one of 10 addressed in an Internet Explorer update released Tuesday as part of MS13-80. It was one of two zero-day bugs affecting the browser that were plugged in the update. The other, CVE-2013-3893, was already seen being leveraged in attacks.

“The attacks were served by directly browsing to raw IP addresses and were spotted served by selected IP addresses in the network range of 1.234.31.x/24, which is geolocated in the Republic of Korea,” according to Websense’s Security Labs. “The attack lure pages (starting point of the exploit chain) on that network range share the same URL patterns and they all consist of the URL structure <x.x.x.x>/mii/guy2.html.”

 “We also spotted that a URL with that same structure on the same network range was used to serve an older and disclosed exploit for Internet Explorer CVE-2012-4792 also in a low-volume and targeted way,” the researchers continued. “Those attacks were launched at the end of August this year.”

According to Trustwave’s SpiderLabs, the attacker uses navigator.userLanguage to identify the end-user machine’s language, and if that language is not Korean or Japanese, the JavaScript redirects the page to and terminates the attack on that machine. The same is true if the machine is not running IE 8 on Windows XP.

The malicious payload is responsible for several malicious activities, explained SpiderLab’s Daniel Chechik.

“It attempts to disable any security products that may be running on the victim machine, redirects banking sites to a malicious IP address and tries to steal credentials for popular on-line games,”
he blogged. “The various techniques used indicate that this payload is not meant for any targeted scenario but instead will simply try to target any Korean or Japanese users it stumbles upon.”

According to Websense, the exploit has been hosted on servers in Seoul, South Korea, and has been seen targeting computers there as well as in Hong Kong and the United States.

“As observed in both exploits, attackers are able to target previous versions of Internet Explorer on older platforms where all the newest mitigations are not available or not enabled by default,” blogged Elia Florio of Microsoft Security Response Center’s Engineering team. “As such, we advise users, to install and use the latest versions of Internet Explorer on modern Windows in order to raise exploitation challenges for attackers and have better defense. For more information about the impact of software mitigations on patterns of vulnerability exploitation, Microsoft released recently a whitepaper that can help to understand the role of software mitigations and exploitation strategies of attackers.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.