New Zero-day vulnerability affects all IE Versions from 6 to 11

A new Zero-day vulnerability in the Internet Explorer impacts all IE Versions from 6 to 11 and is being exploited in limited and targeted attacks. The worst part is there is no patch.

The zero-day exploit have been Dubbed as "Operation Clandestine Fox" by FireEye, is currently targeting only users of Internet explorer 9 through IE11.

To get infected by malware, user don't need to open a suspicious email attachments.  A simple visit to malicious webpage loaded with this IE exploit code will deliver the malware into your system.

According to FireEye report, the exploit page loads a malicious flash file(.swf) that calls javascript in IE to trigger the IE vulnerability.  The reason why attackers used the flash file is to make the attack successful bypassing the ASLR and DEP Protections.

What do you can do to protect yourself?
Microsoft didn't mention when it is going to release the patch. But, it has issued few workarounds for IE users.

One of them is to use the Enhanced Mitigation Experience Toolkit(EMET), a free software from Microsoft that will help in mitigating the exploitation of vulnerabilities by adding additional protection layers.

Micorosof also suggested few other workarounds such as disabling IE extension VGX.dll by entering the following command in cmd:
"%SystemRoot%\System32\regsvr32.exe" -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll" 

New IE Zero-day vulnerability exploited in the wild, infects with malware


New Internet Explorer zero-day vulnerabilities are currently being exploited in the wild in Watering Hole Attack, infects the visitors of malicious websites with malware, Security researchers at FireEye Labs warn.
 
One of the vulnerability is an Information leakage that affects windows IE8 in Windows XP and IE9 in windows 7.  The exploit sends timestamp retrieved from the PE headers of msvcrt.dll" which is being used for choosing exploit.

The second one is memory access vulnerability designed to work on IE 7 and 8 in Windows XP, and Windows 7.  The researchers also discovered the vulnerability affects IE 7,8, 9 and 10.

After successful exploitation, he shellcode used in the exploit launches rundll3d.exe and inject malicious code.  The malicious code then downloads and runs malware file from attacker's server.

Temporary fix for new zero-day IE vulnerability (CVE-2013-1347)

 
Microsoft has issued a temporary fix the recently uncovered Internet Explorer 8 vulnerability that was exploited in the US Department of Labor hack for serving malware.

The vulnerability affects only IE8 so users running Internet explorer versions 6, 7, 9 and 10 do not need to take any action.

Microsoft is working on fixing the issue.  In the meantime, users are urged to apply the temporary fix to prevent from the attack.

To do this, visit this page "http://support.microsoft.com/kb/2847140" and click the Fix it button or link under the Enable heading.

If you are a pentester, the technical analysis and metasploit module can be found here:
https://community.rapid7.com/community/metasploit/blog/2013/05/05/department-of-labor-ie-0day-now-available-at-metasploit

New IE8 Zero-day was used in the DOL Watering Hole attack



A Few days ago Alienvault Labs reported U.S Department of Labor website was hacked and redirects to malware page.  In their report, they mentioned the exploit used in the attack was CVE-2012-4792.

After further analysis security researchers have discovered the vulnerability exploited in the cyber attack wasn't CVE-2012-4792 but a new zero-day affecting the Internet Explorer 8.

CVE identifier CVE-2013-1347 has been assigned for this new IE vulnerability. Microsoft noted that Internet Explorer 6, IE7, IE9, and IE10 are not affected by the vulnerability.

"U.S Department of Labor website wasn’t the only entity affected and we can confirm that at least 9 other websites were redirecting to the malicious server at the same time" AlienVault reports.

According to their report, the cyber attack targets the websites belong to several non-profit groups and institutes as well as a big european company that plays on the aerospace, defence and security markets.

Invincea's founder Anup Ghosh told NextGov that the "target of the attack are [Energy Department] folks in a watering hole style attack compromising one federal department to attack another".

Quick fix for IE zero-day Vulnerability (CVE-2012-4792) is available


Microsoft has released quick fix for a zero-day vulnerability in older versions of its Internet Explorer web browser that is actively being exploited by hackers.

The security flaw affects the IE 6, Internet Explorer 7 and Internet Explorer 8. Versions 9 and 10 are not affected by this vulnerability.

About CVE-2012-4792:

Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo object, and exploited in the wild in December 2012.

The company said that the "Fix it solution" is not intended to be a replacement for any security update.

"We recommend that you always install the latest security updates. However, we offer this Fix it solution as a workaround option for some scenarios."

Quick fix the vulnerability is available here:
http://support.microsoft.com/kb/2794220#FixItForMe

IE vulnerability allows attackers to track mouse cursor, even if IE window is inactive


Internaut often use virtual keyboard while typing their password in order to protect their data from being stolen from Keyloggers.  It seems like a new bug in IE makes the virtual keyboard insecure.

A security researcher from Spider.io claimed to have discovered a security flaw in the Internet Explorer versions 6 through 10, could allow hackers to track user's mouse movements , even if the IE window is minimized.

"Internet Explorer’s event model populates the global Event object with some attributes relating to mouse events, even in situations where it should not. " Explained in the Spider.io.

"Combined with the ability to trigger events manually using the fireEvent() method, this allows JavaScript in any webpage (or in any iframe within any webpage) to poll for the position of the mouse cursor anywhere on the screen and at any time—even when the tab containing the page is not active, or when the Internet Explorer window is unfocused or minimized. The fireEvent() method also exposes the status of the control, shift and alt keys."
The Demo of the bug can be found here:
http://iedataleak.spider.io/demo


They have also created a game(iedataleak.spider.io) to illustrate how easily this security vulnerability in Internet Explorer may be exploited to compromise the security of virtual keyboards and virtual keypads.

German government recommends IE Users to use alternate browser

The German government took a good step by urging its citizens to temporarily stop using Internet Explorer following the discovery of zero-day IE exploit.

The German government's Federal Office for Information Security, or BSI, said it was aware of targeted attacks and that all that was needed was to lure Web surfers to a website where hackers had planted malicious software that exploited the bug.

"A fast spreading of the code has to be feared," the German government said in its statement.

"Security update of the manufacturer is currently unavailable. Therefore, the BSI recommends all users of Internet Explorer to use as long as an alternative browser for Internet use, until the manufacturer has released a security update is available. The BSI is a solution with regard to the closure of the vulnerability in conjunction with Microsoft. Once the vulnerability has been closed, the BSI will inform you." BSI said in the advisory.

New 0-day IE exploit discovered and Metasploit module is available


A Security researcher has come across a new zero-day IE exploit while analyzing a malware page that was being used to exploit Java vulnerabilities. According to Metasploit team, the Internet Explorer 7, 8, and 9 on Windows XP, Vista and 7 are vulnerable to this attack.

Eric Romang has discovered a “/public/help” folder on one of the infected servers . He found one flash file(.swf) , two html page (protect.html,exploit.html) and exe file.


When he opened the exploit.html page, it loads the flash file ,which in turn loads the other HTML page( protect.html). Together, they help drop the executable on to the victim's computer.

Image Credits: Alientvault

Metasploit team immediately developed Metasploit module for this exploit.This module exploits a vulnerability found in Microsoft Internet Explorer. When  rendering an HTML page, the CMshtmlEd object gets deleted in an unexpectedly matter, but the same memory is reused again later in a CMshtmlEd::Exec() function, which causes an use-after-free condition.

According to Metasploit researchers, the exploit, which had already been used by malicious attackers in the wild before it was published in Metasploit, is affecting about 41% of Internet users in North America and 32% world-wide.

Since Microsoft has not released a patch for this vulnerability yet,we advice IE users to switch to other browser until a security update becomes available.