7 replies to this topic

[AplusWebMaster]

FYI...

IE 0-day attack in-the-wild...
- https://krebsonsecur...-zero-day-flaw/
Dec 28th, 2012 - "Attackers are breaking into Microsoft Windows computers using a newly discovered vulnerability in Internet Explorer, security experts warn. While the flaw appears to have been used mainly in targeted attacks so far, this vulnerability could become more widely exploited if incorporated into commercial crimeware kits sold in the underground. In a blog posting* Friday evening, Milpitas, Calif. based security vendor FireEye said it found that the Web site for the Council on Foreign Relations was compromised and rigged to exploit a previously undocumented flaw in IE8 to install malicious software on vulnerable PCs used to browse the site. According to FireEye, the attack uses Adobe Flash to exploit a vulnerability in the latest (fully-patched) version of IE8..."
* http://blog.fireeye....ck-details.html
2012.12.28 - "... we received reports that the Council on Foreign Relations (CFR) website was compromised and hosting malicious content on or around 2:00 PM EST on Wednesday, December 26. Through our Malware Protection Cloud, we can confirm that the website was compromised at that time, but we can also confirm that the CFR website was also hosting the malicious content as early as Friday, December 21... We can also confirm that the malicious content hosted on the website does appear to use Adobe Flash to generate a heap spray attack against Internet Explorer version 8.0 (fully patched), which was the source of the zero-day vulnerability. We have chosen not to release the technical details of this exploit, as Microsoft is still investigating the vulnerability at this time... the JavaScript proceeded to load a flash file today.swf, which ultimately triggered a heap spray in Internet Explorer in order to complete the compromise of the endpoint..."
Update: "... We have seen multiple variations of this attack, as it looks like the attackers changed tactics multiple times during this campaign... Here is the decrypted payload.
- https://www.virustot...780b9/analysis/
File name: base
Detection ratio: 21/45
Analysis date: 2012-12-31

- https://krebsonsecur...-flaw/#comments
Dec 29, 2012 - "... worth noting that IE9 is not supported on Windows XP, so this vulnerability is probably most dangerous for XP users who browse with IE."
___

- https://secunia.com/advisories/51695/
Release Date: 2012-12-30
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: IE 6.x, 7.x, 8.x
... currently being actively exploited in targeted attacks.
Original Advisory: http://technet.micro...dvisory/2794220

- http://h-online.com/-1775071
30 Dec 2012

- http://www.kb.cert.org/vuls/id/154201
29 Dec 2012
___

MS Security Advisory (2794220)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://technet.micro...dvisory/2794220
Dec 29, 2012 - "Microsoft is investigating public reports of a vulnerability in IE6, IE7, and IE8. Internet Explorer 9 and Internet Explorer 10 are -not- affected by the vulnerability. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability through Internet Explorer 8. The vulnerability is a remote code execution vulnerability that exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs..."
CVE Reference:
- https://web.nvd.nist...d=CVE-2012-4792
"... exploited in the wild in December 2012."

- https://blogs.techne...Redirected=true
Dec 29, 2012 - "... we are actively working to develop a security update to address this issue..."

- https://blogs.techne...Redirected=true
29 Dec 2012 - "... We’re also working on an appcompat shim-based Fix It protection tool that can be used to protect systems until the comprehensive update is available. The shim does not address the vulnerability but does prevent the vulnerability from being exploited for code execution... we’re working around the clock on the full security update. You should next expect to see an update from us announcing the availability of a Fix It tool to block the vulnerable code paths..."

Edited by AplusWebMaster, 30 December 2012 - 10:57 PM.

[AplusWebMaster]

FYI...

Targeted 0-day attack - IE 6, 7, and 8
- https://isc.sans.edu...l?storyid=14776
Last Updated: 2012-12-30 22:06:53 UTC... Version: 2 - "... Update:
There is now a Metasploit module (ie_cdwnbindinfo_uaf)that emulates this attack, meaning this will move in to mainstream exploitation rapidly, thus mitigation steps should be taken so soon as possible. Home users running XP should be looking to use another browser as their primary method of browsing the web, and corporate security staff should review Microsoft’s recommendations to build a layered defence to protect staff..."

- https://web.nvd.nist...d=CVE-2012-4792 - 9.3 (HIGH)
Last revised: 12/31/2012 - "Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8... exploited in the wild in December 2012..."

- https://secunia.com/advisories/51695/
Release Date: 2012-12-30
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: IE 6.x, 7.x, 8.x
... currently being actively exploited in targeted attacks.
Original Advisory: http://technet.micro...dvisory/2794220

Edited by AplusWebMaster, 31 December 2012 - 01:10 PM.

[AplusWebMaster]

FYI...

MS Fix it released for IE 0-day...
- http://technet.micro...dvisory/2794220
Updated: Dec 31, 2012 - "... Workarounds: Apply the Microsoft Fix it solution, "MSHTML Shim Workaround", that prevents exploitation of this issue. See Microsoft Knowledge Base Article 2794220* ..."
* http://support.micro...4220#FixItForMe
Last Review: Dec 31, 2012 - Rev 1.0
Applies to: IE8, IE7, IE6...

> http://forums.whatth...=...st&p=809053
7 Jan 2013

Edited by AplusWebMaster, 09 January 2013 - 09:53 AM.

[AplusWebMaster]

FYI...

Microsoft Security Bulletin MS13-008 - Critical
- http://forums.whatth...=...st&p=809670
"... This update for Internet Explorer 6-8..."

Edited by AplusWebMaster, 14 January 2013 - 12:58 PM.

[AplusWebMaster]

FYI...

IE10 0-Day found in Watering Hole Attack
- http://www.fireeye.c...e-attack-2.html
Feb 13, 2014 - "FireEye Labs has identified a new Internet Explorer (IE) zero-day exploit hosted on a breached website based in the U.S. It’s a brand new zero-day that targets IE 10 users visiting the compromised website – a classic drive-by download attack. Upon successful exploitation, this zero-day attack will download a XOR encoded payload from a remote server, decode and execute it. This post was intended to serve as a warning to the general public. We are collaborating with the Microsoft Security team on research activities..."

- http://www.fireeye.c...rs-website.html
Feb 13, 2014 - "... Mitigation: The exploit targets IE 10 with Adobe Flash. It aborts exploitation if the user is browsing with a different version of IE or has installed Microsoft’s Experience Mitigation Toolkit (EMET). So installing EMET or updating to IE 11 prevents this exploit from functioning..."
58.64.200.178 - https://www.virustot...78/information/
.
58.64.200.179 - https://www.virustot...79/information/
.
103.20.192.4 - https://www.virustot....4/information/
.
Related: http://www.fireeye.c...s-pdf-time.html
Feb 13, 2013 - "... In response to the many requests we’ve received for more detailed information, we would like to let our readers know that we have been working with Adobe and have jointly agreed to refrain from posting the technical details of the zero-day at this time. This post was intended to serve as a warning to the general public. We will update this post with more information at a later time."

- https://isc.sans.edu...l?storyid=17642
Last Updated: 2014-02-14 04:11:27 UTC
___

- http://www.securityt....com/id/1029765
> https://web.nvd.nist...d=CVE-2014-0322 - 9.3 (HIGH)
Updated: Feb 20 2014
Impact: Execution of arbitrary code via network, User access via network
Vendor Confirmed:  Yes  
Description: ... A specific exploit is active that targets version 10 but -exits- if Microsoft’s Experience Mitigation Toolkit (EMET) is detected...
This vulnerability is being actively exploited...
FireEye reported this vulnerability.
Impact: A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The "MSHTML Shim Workaround" Microsoft Fix it solution will prevent exploitation.
The vendor's advisory is available at:
- https://technet.micr...dvisory/2934088
Microsoft Fix it 51007

Watering hole attack using IE 10 0-day
> http://www.symantec....ay-diagram1.png
15 Feb 2014

MS IE10 - CMarkup Use-After-Free vuln
- https://secunia.com/advisories/56974/
Last Update: 2014-02-20
Criticality: Extremely Critical
Where: From remote
Impact: System access
Solution: Apply FixIt.
Original Advisory: Microsoft (KB2934088):
Last Review: Feb 19, 2014 - Rev: 1.0
Enable MSHTML shim workaround - Microsoft Fix it 51007*
... Before you install this Fix it solution, you must first install the latest updates for Internet Explorer 9 or Internet Explorer 10. To install the most current update for Internet Explorer, go to the following Microsoft webpage:
- http://update.micros...microsoftupdate

* http://support.micro...4088#FixItForMe

CVE Reference: https://web.nvd.nist...d=CVE-2014-0322 - 9.3 (HIGH)
Last revised: 02/18/2014 - "... as exploited in the wild in January and February 2014."
.
- http://www.kb.cert.org/vuls/id/732479
Last revised: 19 Feb 2014

- http://arstechnica.c...ttack-ms-warns/
Feb 13 2014 - "... surreptitiously installed -malware- on computers running a fully patched version 10 of the Internet Explorer browser. The attacks also work on IE 9... strongly consider switching to another browser altogether. Google Chrome has long received high marks for security, as has Mozilla Firefox."

- http://www.theinquir...cks-on-military
Feb 14 2014 - "... just avoid the Microsoft browser altogether by running an alternative like Google Chrome or Mozilla Firefox."
 

Edited by AplusWebMaster, 20 February 2014 - 11:45 AM.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2934088)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://technet.micro...dvisory/2934088
Feb 19, 2014

- http://support.micro....com/kb/2934088
Last Review: Feb 19, 2014 - Rev: 1.0
Enable MSHTML shim workaround - Microsoft Fix it 51007*
... Before you install this Fix it solution, you must first install the latest updates for Internet Explorer 9 or Internet Explorer 10. To install the most current update for Internet Explorer, go to the following Microsoft webpage:
- http://update.micros...microsoftupdate

* http://support.micro...4088#FixItForMe

- http://support.micro....com/kb/2909921 - MS14-010
Last Review: Mar 12, 2014 - Rev: 2.0

- https://web.nvd.nist...d=CVE-2014-0322 - 9.3 (HIGH)
Last revised: 03/06/2014 - "... as exploited in the wild in January and February 2014."

- http://atlas.arbor.n...dex#-1535410988
High Severity
20 Feb 2014
"... 0day exploit code for Internet Explorer 10. IE 9 is also vulnerable. Earlier exploit activity around CVE-2014-0322 has also been observed. The actual exploit code has been made publicly available. A security bulletin and fix-it are available from Microsoft..."
___

- https://blogs.techne...Redirected=true
Feb 19, 2014 - "... impacts Internet Explorer 9 and 10. Internet Explorer 6, 7, 8 and 11 are -not- affected..."
 

Edited by AplusWebMaster, 14 March 2014 - 10:44 AM.

[AplusWebMaster]

FYI...

IE 0-day - CMarkup Object Processing Flaw Lets Remote Users Execute Arbitrary Code
- http://www.securityt....com/id/1030266
CVE Reference: https://web.nvd.nist...d=CVE-2014-1770 - 9.3
Updated: Jun 10 2014
Impact: Execution of arbitrary code via network, User access via network
Vendor Confirmed:  Yes  
Version(s): 8; possibly other versions
Description: A vulnerability was reported in Microsoft Internet Explorer. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a memory error in the processing of CMarkup objects to execute arbitrary code on the target system. The code will run with the privileges of the target user.
The vendor was notified on October 11, 2013.
The original advisory is available at:
- http://zerodayinitia...ies/ZDI-14-140/
Solution: The vendor has issued a fix...
Vendor URL: https://technet.micr...curity/ms14-035
___

- https://atlas.arbor....ndex#1620714508
Elevated Severity
23 May 2014
A new zero-day vulnerability for Internet Explorer 8 has been disclosed.
Analysis: The flaw, which exists in the handling of CMarkup objects, could allow remote attackers to execute arbitrary code. Exploitation of this vulnerability requires user interaction, either by visiting a malicious site or opening a malicious file... The vulnerability is currently unpatched; it is recommended that users set Internet security zone settings to "High" to block ActiveX Controls and configure IE to prompt before running Active Scripting. Users should also ensure that Microsoft’s EMET (Enhanced Mitigation Experience Toolkit) is enabled.
 

Edited by AplusWebMaster, 18 June 2014 - 06:25 PM.

[AplusWebMaster]

FYI...

IE9 0-day ...
- https://secunia.com/advisories/60610/
Release Date: 2014-12-08
Criticality: Highly Critical
Where: From remote
Impact: System access
Solution Status: Unpatched
Software: Microsoft Internet Explorer 9.x
CVE Reference(s): https://web.nvd.nist...d=CVE-2014-8967 - 6.8
Description: ... vulnerability is caused due to a use-after-free error when handling CElement objects and can be exploited to cause memory corruption via a specially crafted HTML element with "display:run-in" style applied. Successful exploitation of this vulnerability may allow execution of arbitrary code...
- http://www.zerodayin...ies/ZDI-14-403/
2014-12-04
 

Edited by AplusWebMaster, 16 December 2014 - 10:50 PM.