Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Late last week, the Council on Foreign Relations website was compromised and modified to host a 0-day exploit affecting Internet Explorer. Analysis revealed that the attack was set to affect a specific set of users, as it was set to work only if the browser language was set to English (US), Chinese (China), Chinese (Taiwan), Japanese, Korean, or Russian.

    Microsoft has then issued a security advisory for the vulnerability and provided some workarounds, to serve as protection until a solution is released. Trend Micro users, however, are already protected through Trend Micro Deep Security, specifically through the following rules:

    • 1005297 – Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability (CVE-2012-4792)
    • 1005301 – Identified Suspicious JavaScript Encoded Window Location Object
    • 1005298 – Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability (CVE-2012-4792) Obfuscated

    The abovementioned rules are set to detect all known variants of exploits.

    The use-after-free vulnerability in Microsoft Internet Explorer enables remote attackers to execute arbitrary code execution. As stated in Microsoft’s blog, we have also observed that all the reported targeted attacks so far have been triggered by an encoded or obfuscated JavaScript Window Location objects which is generally used to change the location object of the current window. The vulnerability is with cButton object which has been freed but its reference was used again during the page reload will point to an invalid memory location yielding arbitrary code execution under the context of the current user. Microsoft Internet Explorer versions 6, 7, and 8 are affected, but newer versions such as IE9 & IE 10 are not affected by this vulnerability.

    Old but Effective

    My colleagues have discussed before that watering hole attacks are not new. In fact, usage of such technique was seen as early as 2009. At the same time, however, they also think that watering hole attacks will become more prevalent in the future, and will be used specifically for targeted attacks. But why?

    A possible answer to that would be one of Raimund’s forecasts for 2013, wherein he said that attackers will focus more on improving how they deploy the threats, and not on the development of malware. Attackers will leverage on information that they can gather on their targets before conducting the attack, in order to come up with a more effective way to get to their targets.

    If we look at how a watering hole attack works, we’ll see that the methods used are very much familiar to us. However, the strategic placing of the threat itself makes it threatening in a more different level than any other web compromise or 0-day attack, in the same way that a spear phishing email is more effective than the typical spam emails. Attackers are able to generate strong social engineering methods by leveraging their knowledge of their target’s profile, thus eliminating the need for creating very sophisticated tools. And this is something that users must fully realize, because the attackers are no longer just using software vulnerabilities, they’re also using the users themselves.

    As both Tom Kellermann and Nart Villeneuve have said, we will likely see more watering hole attacks in the coming year, thus it is important for users to come up with a solution that is just as strategic as this attack is, or even more.

    Update as of 5:00 PM PST, January 14, 2013

    Microsoft has released an out-of-cycle patch for this vulnerability. The full details may be found in the official Microsoft bulletin, MS13-008. Affected users should be able to download the patch from Windows Update; manual download links may be found inside the Microsoft bulletin. We strongly urge users to patch this vulnerability ASAP.

    Update as of 6:42 AM PST, January 23, 2013

    Trend Micro’s Deep Security has updated the DPI rule name, 1005298 – Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability (CVE-2012-4792) Obfuscated to 1005298 – Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability (CVE-2012-4792) – 2.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    Comments are closed.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice