IE 0-day attack in-the-wild...
Dec 28th, 2012 - "Attackers are breaking into Microsoft Windows computers using a newly discovered vulnerability in Internet Explorer, security experts warn. While the flaw appears to have been used mainly in targeted attacks so far, this vulnerability could become more widely exploited if incorporated into commercial crimeware kits sold in the underground. In a blog posting* Friday evening, Milpitas, Calif. based security vendor FireEye said it found that the Web site for the Council on Foreign Relations was compromised and rigged to exploit a previously undocumented flaw in IE8 to install malicious software on vulnerable PCs used to browse the site. According to FireEye, the attack uses Adobe Flash to exploit a vulnerability in the latest (fully-patched) version of IE8..."
Update: "... We have seen multiple variations of this attack, as it looks like the attackers changed tactics multiple times during this campaign... Here is the decrypted payload.
File name: base
Detection ratio: 21/45
Analysis date: 2012-12-31
Dec 29, 2012 - "... worth noting that IE9 is not supported on Windows XP, so this vulnerability is probably most dangerous for XP users who browse with IE."
Release Date: 2012-12-30
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: IE 6.x, 7.x, 8.x
... currently being actively exploited in targeted attacks.
Original Advisory: http://technet.micro...dvisory/2794220
30 Dec 2012
29 Dec 2012
MS Security Advisory (2794220)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
Dec 29, 2012 - "Microsoft is investigating public reports of a vulnerability in IE6, IE7, and IE8. Internet Explorer 9 and Internet Explorer 10 are -not- affected by the vulnerability. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability through Internet Explorer 8. The vulnerability is a remote code execution vulnerability that exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs..."
"... exploited in the wild in December 2012."
Dec 29, 2012 - "... we are actively working to develop a security update to address this issue..."
29 Dec 2012 - "... We’re also working on an appcompat shim-based Fix It protection tool that can be used to protect systems until the comprehensive update is available. The shim does not address the vulnerability but does prevent the vulnerability from being exploited for code execution... we’re working around the clock on the full security update. You should next expect to see an update from us announcing the availability of a Fix It tool to block the vulnerable code paths..."
Edited by AplusWebMaster, 30 December 2012 - 10:57 PM.