Zero-day exploits and November 2013 Microsoft Patch Tuesday

Zero-day exploits and November 2013 Microsoft Patch Tuesday

Yet more serious zero day exploits are in the wild enabling organised crime syndicates to access your stuff and use your computing resources for their own ends. In this TOTW we look at some specific live nasties:

Operation DeputyDog(CVE-2013-3893) is a use-after-free (manipulation of pointers to memory after they have been de-allocated) vulnerability in the SetMouseCapture implementation in mshtml.dll in Microsoft Internet Explorer 6 through 11. It allows remote attackers to execute arbitrary code via crafted JavaScript strings, as demonstrated by use of an ms-help: URL that triggers loading of hxds.dll.

Operation DeputyDog is a campaign, started in August 2013 targeting organisations in Japan and leverages a command and control infrastructure.

Microsoft has released updates and FixIt workarounds for the above, for further details please visit the following URL:

Recently multiple critical and zero-day exploits have been discovered in the wild affecting multiple versions of Internet Explorer.

The payload has been identified as a variant of Trojan.APT.9002(Hydraq/McRAT variant), it seems to have some relationship to Operation DeputyDog.

Rather than write to the disk, the exploit loads directly into memory. This makes detection and forensics more challenging.

This exploit is labelled as Operation Ephemeral Hydra.

In addition to the previous vulnerabilities, in November 2013 Microsoft Patch Tuesday fixed several critical client vulnerabilities: CVE-2013-3918 ActiveX (icardie.dll) is of particular importance.

CVE-2013-3918 refers to a recently discovered zero-day exploit that as per the latest updates is currently controlled by systems hosted in the US.

An unspecified ActiveX control in Microsoft Internet Explorer 7 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write) via unknown vectors, as exploited in the wild in November 2013.

If successfully exploited, rundll32.exe is launched and the payload is using the following actions:

CreateProcess, OpenProcess, VirtualAlloc, WriteProcessMemory, CreateRemoteThread

This exploit writes to disk unlike the one mentioned earlier in this post.

Please find the details from the latest Microsoft Patch Tuesday under the following link:

In regards to APT detection especially if the exploit does not write to disk making detection and forensics investigation difficult, we recommend cloud-based sandboxing threat detection technologies like Palo Alto Wildfire, that can inspect and load the different files in a virtualised “sandboxed” environment to identify any unknown threats, viruses, exploits.

ITC integrates Palo Alto Wildfire along with log management into our NetSure360° security service powered by HP ArcSight, complete with threat feed and malware detection in order to provide true visibility, control and assurance in this rapidly evolving and highly complex landscape.

In the meantime, keep patching furiously! Are any of you still using Internet Explorer? You could come to the inaugural meeting of IE Anonymous at ITC Towers and share your pain.

Contact ITC at [email protected] to discuss our NetSure360° Security, Performance and Network Management platform or call 020 7517 3900.