Patched IE zero-day and older flaw exploited in ongoing targeted attacks
Posted on 10 October 2013.
With this month's Patch Tuesday, Microsoft has delivered the patch for the infamous Internet Explorer zero-day (CVE-2013-3893) that has been spotted being used in attacks that date as back as three or four months ago and have been tied to the Chinese hacking group that hit Bit9 earlier this year.

What has received a little less attention is that a patch for another IE zero-day actively exploited in the wild has been released simultaneously: CVE-2013-3897.

"The vulnerability is caused by a 'use-after-free' error when processing 'CDisplayPointer' objects within mshtml.dll and generically triggered by the 'onpropertychange' event handler; the vulnerability could be exploited remotely by attackers to compromise a system via a malicious web page," Elad Sharf, Senior Security Researcher at Websense, explained in a blog post.

The flaw is being exploited in a series of highly targeted, low-volume attacks in Korea, Hong Kong, and the US, aimed at companies in the finance, engineering and construction, manufacturing and government sectors.

The attack lure pages are located in a network range assigned to the Republic of Korea, and present a consistent URL structure (x.x.x.x/mii/guy2.html). It's also interesting to note that there are other pages - with the same structure - that serve an exploit for an older IE flaw (CVE-2012-4792) which has been patched a while back.

And while the exploit for the CVE-2013-3897 bug is triggered only by visitors running Windows XP 32-bit with the language set to Japanese or Korean and owners of IE 8, the CVE-2012-4792 exploit doesn't make any distinctions and targets all visitors.

“Cybercriminals continue to innovate; they find zero-day vulnerabilities and utilize them in low volume targeted attacks, and in parallel they also employ older well-known exploits," says Sharf. "This is indicative of them having conducted thorough reconnaissance in order to deliver payloads that they believe are likely to succeed."


The synergy of hackers and tools at the Black Hat Arsenal

Posted on 27 August 2014.  |  Tucked away from the glamour of the vendor booths and the large presentation rooms filled with rockstar sessions, was the Arsenal - a place where developers were able to present their security tools and grow their community.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.


Wed, Aug 27th