Exploit for new IE8 0-day vulnerability in the wild
A critical vulnerability in Internet Explorer 8 is being exploited in the wild and full information about how to make use of the vulnerability is now in widespread circulation. The recent attack on a sub-site of the US Department of Labor has revealed the attackers were in fact using a new exploit for a 0-day vulnerability which only affects Internet Explorer 8.
Initial reports suggested that the attack was using a known, and patched, vulnerability CVE-2012-4792. It became clear that the exploit being used was not that one, but a different remote code execution vulnerability. Microsoft has issued an advisory for this vulnerability, CVE-2013-1347, which still only appears in Internet Explorer 8, while it continues its investigation. The flaw is a use-after-free problem that corrupts memory in such a way as to allow arbitrary code to be injected. A Metasploit module is now available that exploits the vulnerability, which means that the technique is generally accessible.
Microsoft suggests that users of IE8 could deploy EMET, the Enhanced Mitigation Experience Toolkit, and gives instructions how to configure it to add its protective layer to IE8 either through the EMET user interface, command line or via Group Policy. Upgrading to IE9 is also an option for Windows Vista and later, and upgrading to IE10 is an option for users of Windows 7 or later. The other option is, of course, switching to another browser such as Chrome or Firefox.
There is speculation that the attack is a "watering hole" attack on the US nuclear industry. Evidence for this appears to be that the same or similar attacks have been staged nine different sites, none of which have been identified beyond "several non-profit groups and institutes as well as a big European company that plays on the aerospace, defence and security markets," which suggests that if there is a target for the attack it is a rather big, ill-defined target. The important message for all users is that they should be aware that there is a 0-day exploit for IE8 in the wild and it is being used as part of attacks of unknown purpose.
(djwm)