Attackers are using an Internet Explorer vulnerability, which Microsoft patched yesterday, in targeted attacks that also employ a malicious Flash file installed through a drive-by download launched by compromised Web pages. The exploit that’s being used is capable of bypassing both ASLR and DEP.
The attacks are exploiting a memory corruption vulnerability in IE (CVE-2013-3163), one that Microsoft patched on Tuesday as part of its monthly patch cycle. The bug was addressed by bulletin MS13-055 and Microsoft officials also said that users who have EMET 4.0 installed, which includes additional memory protections. The attacks themselves appear to be limited and targeted right now, but with the details of the vulnerability now public, that may change.
“The exploit code uses a memory corruption bug triggered from a webpage but it deeply leverages a Flash SWF file in order to achieve reliable exploitation and code execution. The Flash file is made of a sophisticated ActionScript code that allocates certain objects in memory in such a way that they can be corrupted later by the Internet Explorer bug in order to give unsafe access to memory regions to the Flash ActionScript code that will carry on the entire exploitation,” Microsoft’s Cristian Craioveanu and Elia Florio wrote in an analysis of the attacks.
In the attack scenario described by Microsoft, attackers are constructing malicious Web pages that they’re then using to trigger the bug in vulnerable versions of IE. The MS13-055 patch issued yesterday applies to IE 6-10, which are all of the current versions. Once the vulnerability is triggered, the code then installs the malicious Flash file.
“The common pattern for this limited targeted attack is a drive-by webpage ‘vid.aspx’ or ‘list.aspx’ used as starting point to trigger the bug and run the secondary Flash payload,” the analysis says. “The shellcode used by the sample received attempts to download a graphic file (pageerror.gif) which contains appended an encrypted and compressed malicious executable, possibly launched from %TEMP% folder using ‘javae.exe’ filename.”