Symantec: Internet Explorer Zero-Day Exploit in the Wild

Monday, June 18, 2012

Headlines

69dafe8b58066478aea48f3d0f384820

Security provider Symantec has reported the discovery an active exploit in the wild of a recently disclosed vulnerability in Internet Explorer.

Last week Microsoft issued a security bulletin regarding "one publicly disclosed and twelve privately reported vulnerabilities in Internet Explorer" which affect IE6 to IE9 versions and "could allow remote code execution if a user views a specially crafted webpage using Internet Explorer" to "gain the same user rights as the current user."

Microsoft resolved the vulnerability, but Symantec is reporting that the exploit has been detected in use in attacks against websites belonging to the human rights organization Amnesty International.

"Symantec recently discovered that the Amnesty International Hong Kong website had been compromised with an injected iframe linking to a Russian domain hosting a JavaScript file which actively exploited the Microsoft Internet Explorer CVE-2012-1875 Same ID Property Remote Code Execution Vulnerability (CVE-2012-1875). Last month Amnesty international suffered a similar attack on their UK website," Symantec reports.

Symantec's analysis of the affected Amnesty International Hong Kong website revealed an iFrame script injection.

"This iframe links to another piece of JavaScript hosted on the Russian domain. The iframe, meanwhile, displays a generic error page suggesting that the requested page is "Under Construction". However, after the page is loaded, a function labeled MyTest() is executed and attempts to exploit a vulnerability in the way IE handles cached objects in memory that have the same property ID," the company explained.

The exploit can be used against XP, Vista and Windows 7 in a variety of languages and utilizes a previously detected Remote Access Trojan (RAT) identified as being the Trojan.Naid.

"Trojan.Naid is a Trojan horse program that listens for and accepts a connection from the attacker to essentially provide unauthorized remote control functionality to the compromised computer over a custom communications protocol. This access allows the attacker to perform numerous nefarious activities such as stealing private information or monitoring Internet activities. The Trojan.Naid sample used in this attack and others has been observed to communicate to IP addresses hosted in Hong Kong by local Internet Service Providers," Symantec states.

The Amnesty International website has been rectified, according to the report.

Symantec noted that the exploit is being viewed as a zero-day given that the attacks occurred prior to the release of a patch for the vulnerability and that this is an uncommon circumstance, leading analysts to wonder if this is an indication that there could be an escalation in zero-day exploits pending.

"While the exploit used in this attack has been referred to as being a zero-day due to reports of it being seen in the wild before the recent Security Bulletin Summary, zero-days are not commonly observed in attacks. Most attacks use known, patched exploits readily available to attackers online. Other zero-days have, however, been reported in recent days, such as Microsoft’s announcement of the Microsoft XML Core Services CVE-2012-1889 Remote Code Execution Vulnerability (CVE-2012-1889) (Symantec detection Bloodhound.Exploit.465 and IPS Web Attack MSIE MSXML CVE-2012-1889), this begs the question: will we see more zero-days being used in similar attacks?"

Source:  http://www.symantec.com/connect/blogs/cve-2012-1875-exploited-wild-part-1-trojannaid

Possibly Related Articles:
12968
Webappsec->General
Zero Day Vulnerabilities Symantec Attacks iFrame Injection Exploits Headlines Internet Explorer Website Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked