A new vulnerability found in Microsoft Internet Explorer affects Internet Explorer version 8. The vulnerability allows attackers to execute code on a machine by just having the user visit a malicious website. This can happen, for example, when the user is tricked into clicking a link in an email or via compromised legitimate websites, such as the recently compromised Department of Labor website, which was subsequently used in a water hole attack. Malicious payloads delivered from this compromise were confirmed by Microsoft to exploit the new vulnerability, designated CVE-2013-1347.
The vulnerability itself lies in the way that Internet Explorer accesses an object that has been deleted or not properly allocated. This vulnerability has now been listed by Metasploit, which means it is available publicly, and we anticipate that we'll soon see this Internet Explorer vulnerability used in broader attacks.
More information about the vulnerability can be found in Microsoft Advisory 2847140.
How Does Websense Protect You?
Websense customers are protected with ACE™, our Advanced Classification Engine.
ACE is able to protect from all known samples (at a URL level and with real-time analytics). We have also examined the sample code from Metasploit and added protection for that and any subsequent variations.
If we correlate this attack to the 7 Stages of Advanced Threats (as explained in our whitepaper), we currently have protection for:
- Stage 2 (Lure) - the website involved in the water hole attack
- Stage 3 (Redirect) - the websites that take the user to the delivery of the exploit code
- Stage 4 (Exploit Kit) - we have real-time detection of the exploit code
- Stage 6 (Call Home) - we offer protection from the websites used as a Command & Control
- Should the malware author's attack be sucessful, our customer's would be protected from Stage 7 (Data Theft) through the use of our data loss prevention tools.
As a member of the Microsoft Active Protection Program (MAPP), we are also working with Microsoft to monitor this situation.
Thursday, May 9, 2013:
Microsoft have released a "Fix it" solution for CVE-2013-1347), however keep in mind that a Fix it solution isn't going to be as strong as a full patch solution.