New cross-Internet Explorer exploited in-the-wild

Microsoft reports a detected targeted attack on users of Internet Explorer 8 & 9, which uses the 0day vulnerability (CVE-2013-3893 MSHTML Shim), which is present in all versions of IE browser (6-10) for all versions of XP (SP3) OS - Vista-Seven-8-RT x32 / x64. As is the case with many other vulnerabilities in IE, it is of type Remote Code Execution and is used by attackers to covertly install malicious code. Exploitation is of the type memory-corruption and is associated with improper access of the browser code to the remote memory block (use-after-free). In this case, the executable code will receive the same rights in the system as the current user.

Microsoft is investigating public reports of a vulnerability in all supported versions of Internet Explorer. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability in Internet Explorer 8 and Internet Explorer 9. Applying the Microsoft Fix it solution, «CVE-2013-3893 MSHTML Shim Workaround,» prevents the exploitation of this issue. See the Suggested Actions section of this advisory for more information.

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

The company released Fix it utility for solving this problem (it covers 32-bit versions of the browser), which can be downloaded here . Please note that you must have installed update KB2870699 from the latest patch tuesday (MS13-069: Cumulative security update for Internet Explorer: September 10, 2013).

The EMET tool, which we wrote about in detail on our blog, can successfully block mitigation actions. By default, after installation, EMET is enabled for Internet Explorer. The following enabled options block exploit actions (enabled by default).

  • Forced ASLR
  • Rop
    • Memprot
    • Caller
    • SimExecFlow
    • Stackpivot

  • Heap spray
    • Find the value of HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ EMET \ iexplore.exe \ * \ Internet Explorer \ iexplore.exe
    • Open the HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ EMET \ _settings_ \ previous_parameter value \ heap_pages section
    • Add the value 0x12121212 to the list.

UPD : exploitation details .