Another new vulnerability found in Microsoft Internet Explorer affects Internet Explorer versions 8 and 9 and is being used in the wild by cyber-criminals. Specific configurations of Internet Explorer 6, 7, 8, 9, 10, and 11 are also potentially vulnerable. This vulnerability allows attackers to execute code on a machine by just having the user visit a malicious website. This can happen, for example, when the user is tricked into clicking a link in an email or via compromised legitimate websites.
Websense® researchers have reviewed third-party telemetry feeds from real-time global Internet requests to determine the initial scope and estimate that close to 70% of Windows-based PCs are vulnerable. While the exploit appears to affect all versions of IE, at the moment, attacks seem to only be targeting users of IE8 and IE9 who are running Windows 7 and XP operating systems. Websense strongly encourages IT administrators to install the Microsoft FixIt patch (CVE-2013-3893 MSHTML Shim Workaround) to stop the vulnerability while waiting for a formal patch from Microsoft.
The vulnerability is a remote code execution vulnerability. It exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory allowing an attacker to execute arbitrary code affecting current users within Internet Explorer. A user can be lured into viewing a specially crafted website that is designed to exploit this vulnerability through Internet Explorer.
An attacker who successfully exploits this vulnerability could gain the same user rights as the current user. Users who operate with administrative rights could be more affected than those whose accounts are configured to have fewer user rights on the system.
The vulnerability has been assigned the name, CVE-2013-3893. Microsoft has released a KB2887505 which provides Fix-It solution. There is a patch available at the current time that this blog is being written. More information about the vulnerability can be found in this Microsoft Advisory 2887505. We suggest that you apply Fix-It as soon as possible if you use an Internet Explorer browser and that you patch your system as soon as possible, too.
At the moment, attacks that use this vulnerability are very targeted and limited to the Japan region. Though it might not affect everyone yet, since Fix-It is in place, attackers can analyze the part of the code that is going to be fixed and replicate an exploit. In a short period of time, an exploit for this vulnerability might become part of well-known exploit kits and will not be limited to a particular region. Websense researchers have implemented real-time protection against this vulnerability and are constantly monitoring the Websense ThreatSeeker® Intelligence Cloud for indications of the CVE-2013-896 exploit being adopted by cyber-criminals and/or integrated into exploit kits.