Attackers Target IE Bug

Monday, July 15, 2013 @ 04:07 PM gHale

Even though it just ended up patched, attackers are using an Internet Explorer vulnerability in targeted attacks that also employ a malicious Flash file installed through a drive-by download launched by compromised Web pages.

The exploit is capable of bypassing Address space layout randomization (ASLR) and Data Execution Prevention (DEP).

Microsoft Fills 34 Holes
Light, but Important Patch Tuesday
Timely Patch: Microsoft Closes Holes
Microsoft Offers Fix for IE 8 Bug

The attacks are exploiting a memory corruption vulnerability in IE (CVE-2013-3163), one Microsoft patched Tuesday as part of its monthly patch cycle. The bug ended up addressed by bulletin MS13-055. The attacks themselves appear to be small and targeted right now, but with the details of the vulnerability now public, that may change.

“The exploit code uses a memory corruption bug triggered from a webpage but it deeply leverages a Flash SWF file in order to achieve reliable exploitation and code execution. The Flash file is made of a sophisticated ActionScript code that allocates certain objects in memory in such a way that they can be corrupted later by the Internet Explorer bug in order to give unsafe access to memory regions to the Flash ActionScript code that will carry on the entire exploitation,” Microsoft’s Cristian Craioveanu and Elia Florio wrote in an analysis of the attacks.

In the attack scenario described by Microsoft, attackers are constructing malicious Web pages and then they’re using them to trigger the bug in vulnerable versions of IE. The MS13-055 patch applies to IE 6-10, which are all of the current versions. Once the vulnerability triggers, the code then installs the malicious Flash file.

“The common pattern for this limited targeted attack is a drive-by webpage ‘vid.aspx’ or ‘list.aspx’ used as starting point to trigger the bug and run the secondary Flash payload,” Microsoft’s researchers said. “The shellcode used by the sample received attempts to download a graphic file (pageerror.gif) which contains and appended, encrypted and compressed malicious executable, possibly launched from %TEMP% folder using ‘javae.exe’ filename.”

Leave a Reply

You must be logged in to post a comment.