Late last week, the Council on Foreign Relations website was compromised and modified to host a 0-day exploit affecting Internet Explorer. Analysis revealed that the attack was set to affect a specific set of users, as it was set to work only if the browser language was set to English (US), Chinese (China), Chinese (Taiwan), Japanese, Korean, or Russian.
Microsoft has then issued a security advisory for the vulnerability and provided some workarounds, to serve as protection until a solution is released. Trend Micro users, however, are already protected through Trend Micro Deep Security, specifically through the following rules:
- 1005297 – Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability (CVE-2012-4792)
- 1005298 – Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability (CVE-2012-4792) Obfuscated
The abovementioned rules are set to detect all known variants of exploits.
Old but Effective
My colleagues have discussed before that watering hole attacks are not new. In fact, usage of such technique was seen as early as 2009. At the same time, however, they also think that watering hole attacks will become more prevalent in the future, and will be used specifically for targeted attacks. But why?
A possible answer to that would be one of Raimund’s forecasts for 2013, wherein he said that attackers will focus more on improving how they deploy the threats, and not on the development of malware. Attackers will leverage on information that they can gather on their targets before conducting the attack, in order to come up with a more effective way to get to their targets.
If we look at how a watering hole attack works, we’ll see that the methods used are very much familiar to us. However, the strategic placing of the threat itself makes it threatening in a more different level than any other web compromise or 0-day attack, in the same way that a spear phishing email is more effective than the typical spam emails. Attackers are able to generate strong social engineering methods by leveraging their knowledge of their target’s profile, thus eliminating the need for creating very sophisticated tools. And this is something that users must fully realize, because the attackers are no longer just using software vulnerabilities, they’re also using the users themselves.
As both Tom Kellermann and Nart Villeneuve have said, we will likely see more watering hole attacks in the coming year, thus it is important for users to come up with a solution that is just as strategic as this attack is, or even more.
Update as of 5:00 PM PST, January 14, 2013
Microsoft has released an out-of-cycle patch for this vulnerability. The full details may be found in the official Microsoft bulletin, MS13-008. Affected users should be able to download the patch from Windows Update; manual download links may be found inside the Microsoft bulletin. We strongly urge users to patch this vulnerability ASAP.
Update as of 6:42 AM PST, January 23, 2013
Trend Micro’s Deep Security has updated the DPI rule name, 1005298 – Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability (CVE-2012-4792) Obfuscated to 1005298 – Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability (CVE-2012-4792) – 2.