Topic: Latest IE10 exploit targets U.S. military ?!

[Samker]

Microsoft may have released new Internet Explorer security patches earlier this week, but now the company has confirmed that a new zero-day exploit in IE10 has been found and is apparently being used by an unknown group to target members of the U.S. military.

The flaw was found by the security firm FireEye: http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html , which it says was used by the mystery hackers to compromise the website of the U.S. Veterans of Foreign Wars. The firm states:

"We believe the attack is a strategic Web compromise targeting American military personnel amid a paralyzing snowstorm at the U.S. Capitol in the days leading up to the Presidents Day holiday weekend."

Visitors to the site with IE10 loaded another page created by the group in the background, which runs a Flash-based object that completes the rest of the attack. This issue is just with IE10; users who upgrade to the current IE11 browser are not affected by this exploit.

In a statement sent to Computerworld, Microsoft says it is aware of the IE10 zero-day issue and added, "We are investigating and we will take appropriate actions to help protect customers." IE10 currently has 9.28 percent of the worldwide web browser market share, according to Net Applications, but its percentage has gone down rapidly in the past few months since the launch of IE11: http://netmarketshare.com/

(NW)

[Fintech]

So, very interesting thing. IE11 is not vulnerable, if I understood correct!
I use only Firefox, but nowadays nobody doesn't be in security   

[Samker]

Microsoft tools protect IE10 until Patch Tuesday arrives

Microsoft last week issued a stopgap defense that protects Internet Explorer 9 (IE9) and IE10 against ongoing attacks until the company issues a patch, probably in three weeks.

An unpatched vulnerability in those two versions of Microsoft’s browser has been used by two hacker groups to compromise Windows 7 and Windows 8 PCs running IE10, including machines of a French defense contractor and its suppliers, according to Israeli security company Seculert. The attacks may have started as early as January 17.

“All affected customers should apply the easy, one-click ‘Fix it’ solution and follow the suggested mitigations outlined in the security advisory while an update is finalized,” said Dustin Childs, group manager of Microsoft’s Trustworthy Computing team, in an email.

Microsoft released a security advisory and a deeper dive into the vulnerability was posted by Neil Sikka: http://www.pcworld.com/article/2100330/microsoft-tools-protect-ie10-until-patch-tuesday-arrives.html , an engineer with the Microsoft Security Response Center (MSRC), on Microsoft’s Security Research & Defense blog: http://blogs.technet.com/b/srd/archive/2014/02/19/fix-it-tool-available-to-block-internet-explorer-attacks-leveraging-cve-2014-0322.aspx

It’s unlikely that Microsoft will rush out an emergency patch for the IE vulnerability, said Andrew Storms, director of DevOps at San Francisco-based security firm CloudPassage.

“It would seem like it’s still in the limited-attack category,” said Storms in an interview conducted using a messaging app. “So until that heats up, I don’t see them rushing to push an out-of-band fix.”

Microsoft has said it is working on a patch for the IE vulnerability, but offered nothing about a timetable. The next regularly-scheduled Patch Tuesday is three weeks away, on March 11.

Out-of-band updates—described as such because they are issued outside the normal monthly schedule Microsoft maintains for security patches—are rare: The last one Microsoft shipped was MS13-008, an emergency patch issued 13 months ago that plugged holes in IE6, IE7 and IE8 after those browsers had been exploited for about six weeks.

Security stopgaps offered

Until a patch is produced, Microsoft offered customers several options to protect themselves, including advice on configuring EMET 4.1 and running one of its “Fix it” automated tools to “shim” the DLL that contains the IE rendering engine.

EMET (Enhanced Mitigation Experience Toolkit) is a tool that manually enables anti-exploit technologies such as ASLR (address space layout randomization) and DEP (data execution prevention) for specific applications. Although it was originally designed for enterprise IT professionals, Microsoft has been touting its use as a security backstop for a wider audience of late.

Ironically, simply installing EMET does the trick; the attacks seen so far abort if they detect the presence of the toolkit.

But the Fixit route will be easiest for most people: Microsoft offered the tool on its support site: https://support.microsoft.com/kb/2934088#FixItForMe , and customers need only click the icon on the left, the one marked “Enable MSHTML shim workaround.” Microsoft has used the shim approach before when faced with unexpected attacks against IE, most recently last September.

Based on past practice, Microsoft’s Fixit workaround probably uses the Application Compatibility Toolkit to modify the core library of IE—a DLL (dynamic link library) named “Mshtml.dll” that contains the browser’s rendering engine—in memory each time IE runs. The shim does not quash the bug, but instead makes the browser immune to the attacks Microsoft has seen in the wild so far.

Users can also ditch IE for an alternate browser such as Google’s Chrome or Mozilla’s Firefox to stay safe until Microsoft comes up with a permanent fix, or if they’re able, upgrade to IE11, which does not contain the bug. Windows 7, Windows 8 and Windows 8.1 users can run IE11, but those still stuck on Windows Vista cannot, because the 2007 operating system maxed out at IE9, one of the two versions vulnerable to attack.

Mystery attacks

According to Web measurement company Net Applications, about a third of all those people using IE are running either IE9 or IE10; approximately 16 percent, or one in every six IE users, run IE10, the version that has been targeted by cybercriminals.

Storms was mystified by some aspects of the vulnerability, particularly Microsoft’s contention that, “We are not aware of any elevation of privilege or sandbox escape vulnerability being used to ‘break out’ of the Internet Explorer Protected Mode sandbox.”

Protected Mode is Microsoft’s label for the IE “sandbox,” a technology to isolate the browser from the rest of the system so that if a successful exploit does hack the browser, the attack code should not be able plant malware on the PC. Protected Mode has been a feature of IE since IE7, which debuted in 2006.

“Even after the exploit gains code execution, it still needs a non-trivial element to result in a persistent compromise of the computer,” Microsoft’s Sikka wrote on the Security Defense & Research blog.

If a sandbox escape was not part of the exploit, Storms and others wondered how the attackers had managed to plant malware on the compromised machines. When asked what that meant, Storms replied, “It means there is something they aren’t telling us.”

Chaouki Bekrar, CEO of French vulnerability research lab and zero-day seller Vupen, had wondered much the same last week. “Usual question about yesterday’s CVE-2014-0322 in the wild. How can it install EXE without IE sandbox bypass, any bypass there?” Bekrar asked in a Feb. 14 tweet directed at FireEye: https://twitter.com/cBekrar/status/434243129856651264

(PCW)

[Pez]

Some more input info and related links:

Product Coverage and Mitigation for CVE-2014-0322 (Microsoft Internet Explorer)

On February 19, Microsoft released Security Advisory (2934088) for Microsoft Internet Explorer. This vulnerability was previously reported, by 3rd parties, during the 2nd week of February 2014. In-the-wild exploitation has been observed (at least) back to early January 2014.

Specifically, the flaw is a use-after-free condition during Internet Explorer’s processing of specific CMarkup objects.

We are currently analyzing details and indicators. Watch this space for updates, indicators, and more information about this threat.


Current McAfee product coverage and mitigation:

 • McAfee Vulnerability Manager: The FSL/MVM package of February 13 includes a vulnerability check to assess if your systems are at risk.

 • McAfee Application Control: Run-Time Control locks down systems and provides protection in the form of Execution Control and Memory Protection.

 • McAfee VirusScan: Coverage for known, associated, malware is provided in the 7350 DATs (February 15) as “Exploit-SWF” and the 7354 DATs (February 19) as “Exploit-CVE2014-0322″ and “Backdoor-FBSR”.

 • McAfee Web Gateway: Coverage for known, associated, malware is provided in the 7350 DATs (February 15) as “Exploit-SWF” and the 7354 DATs (February 19) as “Exploit-CVE2014-0322″ and “Backdoor-FBSR”.

 • McAfee GTI / Web / URL Reputation-enabled Controls: McAfee products with GTI enabled will block/identify malicious IP/Domain/URL traffic associated with this threat.


References:

 • Microsoft Advisory: http://technet.microsoft.com/en-us/security/advisory/2934088
 • Microsoft Fixit / KB: https://support.microsoft.com/kb/2934088
 • OSVDB: http://osvdb.org/103354
 • NVD: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0322&cid=2
 • US-CERT: http://www.kb.cert.org/vuls/id/732479


Original article: By Jim Walter on Feb 19, 2014


Of course is their other products that also cover this worn ability but this is McAfee's statement in this case and some useful links fore more information.

[Pez]

Internet Explorer Zero Day Offers Unusual Case Study

While analyzing a recent Internet Explorer zero-day vulnerability, CVE-2014-0322 (containing the Flash sample hash b9c9dab0fd30418884800afebbaba4d99f4526ef0c9a47972a20ab20fed0a06d), we noticed the exploit makes an unorthodox call to ZwProtectVirtualMemory to bypass data execution prevention.

What is different about this call? The argument(s) of ZwProtectVirtualMemory are placed in an unusual manner. Typically arguments that are pointer variables belonging to the stack must be greater than the extended stack pointer (ESP, in the already allocated region of the stack). After setting the stack pivot, the exploit makes the call to ZwProtectVirtualMemory as shown in this screen:



"click the image to make it larger"

NTSYSAPI NTSTATUS NTAPI ZwProtectVirtualMemory (_In_ HANDLE   ProcessHandle,

_In_ PVOID *      BaseAddress,

_In_ SIZE_T *      NumberOfBytesToProtect,

_In_ ULONG       NewAccessProtection,

_Out_ PULONG   OldAccessProtection

)

The third parameter is a pointer variable on the stack, but this one lies in a yet to be allocated region of the stack. Typically the pointer should be greater than ESP, but in this case it is smaller.

Kernel calls don’t use the stack much; they are just a wrapper around the kernel, which has a different stack altogether. In the absence of a hook at ZwProtectVirtualMemory (for hook-based detection systems), this call will work smoothly like a normal call; but in the case of any hooks, this parameter has a tendency to get corrupted by allocated local variables of hooks and result in the failure of the API call, which will most likely result in the failure of the exploit–an unusual evasion by failure in the presence of a hook-based detection system.

We have also seen similar exploitation scenarios in the CVE-2013-3918 zero-day attack.


Original article: By Vinay Karecha on Feb 26, 2014