Microsoft patches a zero-day exploit vulnerability in Internet Explorer

Although, Microsoft patched a zero-day vulnerability in Internet Explorer, it had already exploited in attacks involving a compromised website belonging to an evangelical church in Hong Kong.

Users are requested to update their computers as soon as possible.

It permits remote code execution which allows a user views a specially crafted web page using Internet Explorer. After that it allows the attacker the same user rights as the current user. Microsoft’s security update resolves this issue by modifying how Internet Explorer handles objects in memory.

First, the attackers compromised the website of the Evangelical Lutheran Church of Hong Kong and modified it to host a malicious iFrame which redirected visitors to another website hosting an exploit of the Internet Explorer Microsoft Internet Explorer Remote Memory Corruption Vulnerability (CVE-2015-2502).

According to Symantec, the IP address of this website is
This website hosts a file called vvv.html , which redirects to one of two other files called a.js and b.js, which lead to the download of a file called java.html to the victim’s computer. Java.html installs Korplug on the computer, in the form of an executable called c.exe.

Disable Java in your browsers, if installed as researchers spotted new Java based Zero-day Exploit

Researchers from Trend Micro have found out suspicious URLs that hosted a newly discovered Zero-day exploit, which refers to a hole in software that is exploited by hackers before the vendor becomes aware of it, in Java.

Brooks Li, a threat analyst and Feike Hacquebord, a senior threat researcher, who spotted this exploit, said that this was the first time in nearly two years that a new Java zero-day vulnerability was reported.

The researchers came to know about this exploit after receiving a feedback in their  Smart Protection Network.

According to the report, this new zero-day Java Exploit is being used in spear-phishing attacks targeting a certain forces of NATO country and a US Defence Organization
This zero-day bug affects only the latest Java version not the older versions, Java 1.6 and 1.7.
The vulnerability is still not patched by the company concerned.

According to the report, the URLs hosting the new Java zero-day exploit are similar to the URLs seen in the attack launched by the threat actors behind Pawn Storm that targeted North Atlantic Treaty Organization (NATO) members and White House last April 2015.

The researchers have asked the users to disable Java in browsers if installed due to an application.

Update your Adobe flash player to stay safe

Few days after Microsoft published a security advisory about a new critical security bug in IE that is being used in limited and targeted attacks, Adobe has issued an emergency security update to fix a critical vulnerability(CVE-2014-0515) in flash player.

Please note that it is completely unrelated to IE Exploit in which bug was in IE and the flash file(.swf) used for making the attack successful.  But, in this case, the bug exists in the flash player plugin. 

So, people who use vulnerable version of Adobe Flash player likely to be vulnerable to this attack.

If you are using windows or Mac, make sure you have the latest flash player version  If you are using Linux, make sure to update to the latest version

This new zero-day flash exploit was spotted as being used in Watering-hole attacks by researchers at Kaspersky Labs in early April.

According to SecureList, this flash exploit spread from a Syrian Justice Ministry website(  Researchers believe the attack was designed to compromise the computers of Syrian dissidents complaining about the government.

New Zero-day vulnerability affects all IE Versions from 6 to 11

A new Zero-day vulnerability in the Internet Explorer impacts all IE Versions from 6 to 11 and is being exploited in limited and targeted attacks. The worst part is there is no patch.

The zero-day exploit have been Dubbed as "Operation Clandestine Fox" by FireEye, is currently targeting only users of Internet explorer 9 through IE11.

To get infected by malware, user don't need to open a suspicious email attachments.  A simple visit to malicious webpage loaded with this IE exploit code will deliver the malware into your system.

According to FireEye report, the exploit page loads a malicious flash file(.swf) that calls javascript in IE to trigger the IE vulnerability.  The reason why attackers used the flash file is to make the attack successful bypassing the ASLR and DEP Protections.

What do you can do to protect yourself?
Microsoft didn't mention when it is going to release the patch. But, it has issued few workarounds for IE users.

One of them is to use the Enhanced Mitigation Experience Toolkit(EMET), a free software from Microsoft that will help in mitigating the exploitation of vulnerabilities by adding additional protection layers.

Micorosof also suggested few other workarounds such as disabling IE extension VGX.dll by entering the following command in cmd:
"%SystemRoot%\System32\regsvr32.exe" -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll" 

New IE Zero-day vulnerability exploited in the wild, infects with malware

New Internet Explorer zero-day vulnerabilities are currently being exploited in the wild in Watering Hole Attack, infects the visitors of malicious websites with malware, Security researchers at FireEye Labs warn.
One of the vulnerability is an Information leakage that affects windows IE8 in Windows XP and IE9 in windows 7.  The exploit sends timestamp retrieved from the PE headers of msvcrt.dll" which is being used for choosing exploit.

The second one is memory access vulnerability designed to work on IE 7 and 8 in Windows XP, and Windows 7.  The researchers also discovered the vulnerability affects IE 7,8, 9 and 10.

After successful exploitation, he shellcode used in the exploit launches rundll3d.exe and inject malicious code.  The malicious code then downloads and runs malware file from attacker's server.

Almost Half of Tor sites compromised by FBI [Exclusive details]

As many of you might know the US has been pushing for the extradition of Eric Eoin Marques who an FBI agent has called as "the largest facilitator of child porn on the planet."

But most of you might not know that he is also the owner of "freedom hosting" the largest hosting provider for .onion sites within the TOR network . This means that all the sites hosted by "freedom hosting" are at the hands of the FBI. As you can see from the above linked article freedom hosting has been accused of hosting child pornography for a very long time.

I also have a fair idea on how the FBI did the "impossible", tracing a person who is using Tor.And they further might have found details on all the people visiting sites hosted by freedom hosting. First have a look at what a person posted on pastebin on Aug 3rd he says he found this code in the main page of "freedom host" this further links to this exploit .

This is my analysis of the exploit ( I have not looked into it deeply as I am busy with my exams)
1. It is a 0 day for the Firefox version that comes as default with the "TOR Browser Bundle"
2. The code says "version >=17 && version <18" checks if the browser is the right version that the exploit works on .

It also has an another check
var i = navigator.userAgent.indexOf("Windows NT");
        if (i != -1)
                return true;
        return false;

3.It also manages to gather the Real IP of the user and possibly execute a malicious payload that might give the attacker full access to the system.
4. This exploits works because the people at TOR project had made it such that Javascript is loaded by the built in browser by default (this was not the case before and people who had their "no script" plugin with proper setting "disallowed" are safe)
5.Please note that is NOT a zero day for the TOR network but rather an exploit for the Firefox version that most TOR users are running.

Tor's official reply:

Though the action's done by the FBI to take down child pornography in the TOR network is appreciated by all of us, many of the legitimate sites hosted by freedom hosting are also down .They should make sure that what they do does not kill the freedom and anonymity that the TOR network stands for.

Edit 1: Here are a few other deeper analysis I found --> ,

PS: If you have anything more that you would like to be added to this article or any corrections you can contact me on Twitter 

Ichitaro zero-day Vulnerability exploited in the wild, targets Japan users

JustSystems Corporation, the developer of one of the top Japanese word processor Ichitaro, announced that Arbitrary code execution vulnerbility in Ichitaro is being exploited in the wild.

When an user open a malicious document that exploits this vulnerability, the malware will be dropped in the victim's machine. The malware can delete your data , warns JustSystems.

In a report, Symantec said they have seen the exploitation in the wild since mid-January. The attack targets Japan users.

Malicious Attachment - Image Credits:Symantec
According to their report, the attack starts with an archive file contains the following files: A clean Ichitaro document (.jtd file), A modified JSMISC32.DLL file with a hidden attribute, A malicious DLL file with a hidden attribute and a .jtd file extension.

When the .jtd document is opened on a vulnerable computer, it executes the modified JSMISC32.DLL that further launches the malicious DLL file with the .jtd file extension.

Ichitaro users are advised to download and apply the patch from JustSystems, to protect against this exploit.