Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
     123456
    78910111213
    14151617181920
    21222324252627
    282930  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Navtej Singh (Senior Security Researcher)




    Microsoft has released MS12-063 to address vulnerabilities affecting Internet Explorer versions 6, 7, 8, and 9. The most severe of the vulnerabilities was found able to allow arbitrary code execution when exploited. It was the said vulnerability which was earlier reported being used in attacks and leading to remote access tools (RAT). Here’s an in-depth analysis of one of the vulnerabilities:

    The use-after-free vulnerability arises when a deleted object is referenced. For instance, by calling function document.write() to replace the whole page, while an event queued through execCommand method is still pending. When the execCommand method is called, CmshtmlEd object is created. However, when the object is deleted, Internet Explorer releases the CmshtmlEd object. Later, mshtml!CMshtmlEd::Exec() tries to access the released CmshtmlEd object, without verifying if it is still valid, leading to use-after-free vulnerability.

    In the samples we’ve seen, the execCommand is invoked with action “selectAll”. At the same time, the body has another action triggered on selection. This action replaces the whole page with some text, forcing IE to free body objects. After the objects have been deleted, execComamnd will try to use those objects, leading to the vulnerability. A flash object is used to spray the heap with controlled data to alter the execution flow.

    Zero-day Exploit in the Wild

    The exploit for the above-mentioned vulnerability, detected by Trend Micro as HTML_EXPDROP.II, was seen used in several attacks. In one instance, the exploit was found loading SWF_DROPPR.II, which in turn downloads a PoisonIvy variant detected as BKDR_POISON.BMN. The second attack spotted leads to TROJ_PLUGX.ME, which executes malicious files on the infected systems.  This malware is a variant of PlugX remote access tool (RAT) recently blogged here.

    Users are advised to update their systems with the latest patch from Microsoft. Trend Micro Smart Protection Network™ protects users by detecting the exploit and other malicious files and blocking access to the malicious servers. Moreover, Trend Micro’s Deep security protects users through IDF rule 005194 – Microsoft Internet Explorer ‘execCommand’ Use-After-Free Vulnerability. Lastly, Titanium 2013 safeguards user systems via their browser exploit prevention feature.

    Update as of Sept. 25 4:57 AM PDT

    There seems to be no stopping attackers from targeting this vulnerability, as we saw more attacks leveraging this software bug. In particular, several compromised websites were found hosting exploits aimed at this vulnerability. Users who visit these sites are served with the exploit, which ultimately lead users to download PlugX variants onto their computers.

    Below are some of these compromised sites and attacks.

    Compromised Site Exploit Malicious .SWF File Component Payload
    everich2.{BLOCKED}ft.tw.rar HTML_EKSPLOYT.AE, HTML_EXPDROP.II SWF_DROPPR.II BKDR_PLUGX.AQ
    get.{BLOCKED}ks.com.rar HTML_EXPDROP.II SWF_DROPPR.II BKDR_PLUGX.AR
    www.{BLOCKED}enews.in.rar HTML_EKSPLOYT.AE, HTML_EXPDROP.II SWF_DROPPR.II BKDR_PLUGX.AP
    www.{BLOCKED}in.com.tw.rar HTML_EKSPLOYT.AE, HTML_EXPDROP.II SWF_DROPPR.II BKDR_PLUGX.AQ
    www.{BLOCKED}gameshow.com HTML_EXPDROP.SMA, HTML_EXPDROP.SMB SWF_DROPPR.II BKDR_PLUGX.AT

    With these developments, it is imperative for users and IT administrators to update their systems with the security patch released by Microsoft. Trend Micro users need not worry as they are protected from these threats.

     
    Posted in Vulnerabilities | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice