This was a two-for-one deal that Windows administrators could have done without.

Already expecting one patch for an Internet Explorer zero-day being actively exploited, admins got fixes for two zero days instead yesterday as part of Microsoft’s October 2013 Patch Tuesday security updates.

The second caught everyone by surprise, especially organizations already swaying in the wind without a patch for one IE bug being used in active attacks, and for which a Metasploit exploit was available. The bonus fix was for an unrelated bug in the wild for close to a month and also targeting organizations in Japan and Korea, similar to the first zero day.

Researchers at the National Cyber Security Centre of the Netherlands, IOprotect GmbH and Trustwave’s SpiderLabs were credited in the advisory by Microsoft for reporting the vulnerability. SpiderLabs’ Director of Security Research Ziv Mador told Threatpost the company’s researchers were monitoring an attack server that had up until two weeks ago been serving exploits for patched vulnerabilities only. That changed on Sept. 12, Mador said, when an IE 8 exploit bubbled to the surface that his researchers hadn’t seen before.

“It is being used to distribute general malware,” Mador said. “Unlike the previous zero day in IE, this one distributes malware to steal credentials from online gamers, or disrupt access to banking sites. It’s general malware, not targeted attacks.”

The previously reported IE zero day had been used in very targeted attacks against Japanese media companies. The media sites were compromised as part of a watering hole attack and were serving exploits, according to researchers at FireEye, targeting government, high-tech and manufacturing organizations in Japan. FireEye called it a large-scale intelligence gathering operation.

Microsoft had released a Fix-It tool as a temporary mitigation upon disclosing that attacks were in the wild. Last Friday, a Metasploit exploit module was added to the toolkit, ramping up the possibility that more widespread attacks could be imminent.

The second zero day targeted users in Japan and Korea via drive-by downloads. One feature was its ability to identify the language the infected machine was configured to. If neither Japanese nor Korean, IE would redirect to Google and the attack would be terminated, Trustwave said in a blogpost.

However, if it validates the language and IE 8, the attack uses ROP chains to bypass memory protections native to Windows such as DEP and ASLR.

The attack payload includes no fewer than 10 drivers, executables and DLLs dropped onto the victim’s machine, Trustwave said. It will try to disable a number of security products on the computer, redirect banking sites to an attacker-controlled domain and also has components that try to steal gaming credentials.

“The exploit is not trivial and these types of exploits are often not trivial. They require a number of quite creative combinations to work,” Mador said. “That was the case here.”

In addition to the ROP chains, the attack also uses the DOM Element Property Spray technique used in the other IE zero day patched yesterday.

“There are a million ways to develop HTML pages or Web applications, so many attributes, tags, scripts. People who develop browsers have to deal with a huge amount of possible scenarios,” Mador said, pointing to a number of natural places where vulnerable code could lurk in the parsing and rendering of any of these components.

“When we look at exploit code for browser vulnerabilities, quite often they use weird combinations from an HTML perspective that don’t make sense,” Mador said. “They don’t seem to show anything interesting, but the purpose of the combinations is to trigger some vulnerability in the code parsing or memory management.”

The patch was part of a cumulative update for IE addressed in MS13-080; IE has been patched nearly every month in 2013, including an out of band patch earlier this year.

Categories: Microsoft