Security researchers say a previously undisclosed Internet Explorer zero-day patched by Microsoft this week has been actively used in targeted attacks since at least September.
The vulnerability – CVE-2013-3897 – is a use-after-free vulnerability issue in CDisplayPointer triggered with the onpropertychange event handler. According to Microsoft, the exploit was designed to target only Internet Explorer 8 on Windows XP for Korean and Japanese language-based users.
The vulnerability was one of 10 addressed in an Internet Explorer update released Tuesday as part of MS13-80. It was one of two zero-day bugs affecting the browser that were plugged in the update. The other, CVE-2013-3893, was already seen being leveraged in attacks.
“The attacks were served by directly browsing to raw IP addresses and were spotted served by selected IP addresses in the network range of 1.234.31.x/24, which is geolocated in the Republic of Korea,” according to Websense’s Security Labs. “The attack lure pages (starting point of the exploit chain) on that network range share the same URL patterns and they all consist of the URL structure /mii/guy2.html.”
“We also spotted that a URL with that same structure on the same network range was used to serve an older and disclosed exploit for Internet Explorer CVE-2012-4792 also in a low-volume and targeted way,” the researchers continued. “Those attacks were launched at the end of August this year.”
According to Trustwave’s SpiderLabs, the attacker uses navigator.userLanguage to identify the end-user machine’s language, and if that language is not Korean or Japanese, the JavaScript redirects the page to google.com and terminates the attack on that machine. The same is true if the machine is not running IE 8 on Windows XP.
The malicious payload is responsible for several malicious activities, explained SpiderLab’s Daniel Chechik.
“It attempts to disable any security products that may be running on the victim machine, redirects banking sites to a malicious IP address and tries to steal credentials for popular on-line games,”
he blogged. “The various techniques used indicate that this payload is not meant for any targeted scenario but instead will simply try to target any Korean or Japanese users it stumbles upon.”
According to Websense, the exploit has been hosted on servers in Seoul, South Korea, and has been seen targeting computers there as well as in Hong Kong and the United States.
“As observed in both exploits, attackers are able to target previous versions of Internet Explorer on older platforms where all the newest mitigations are not available or not enabled by default,” blogged Elia Florio of Microsoft Security Response Center’s Engineering team. “As such, we advise users, to install and use the latest versions of Internet Explorer on modern Windows in order to raise exploitation challenges for attackers and have better defense. For more information about the impact of software mitigations on patterns of vulnerability exploitation, Microsoft released recently a whitepaper that can help to understand the role of software mitigations and exploitation strategies of attackers.”