One might think that vulnerabilities in ActiveX controls are a thing of the past, but we continue to find evidence that they have not. Just this year, dozens of vulnerabilities have been discovered. In some cases an ActiveX exploit is more attractive to an attacker for targeting specific users of certain software or a company that uses certain business applications.
A few weeks ago, we encountered such an example: an unknown vulnerability in an ActiveX control exploited in the wild. It was DaumGame ActiveX, a control required for playing a web game by Daum Communications on their website. Below, I outline the vulnerability and how one particular attacker exploited it.
SpiderLabs investigates a number of suspicious binary files on a daily basis. A week ago we came across a PDF file which had two different vulnerabilities, a remote-code-execution vulnerability in Adobe Reader and a new escalation-of-privileges vulnerability in Windows Kernel.
Just recently we confirmed that the new escalation-of-privileges zero day (CVE-2013-5065) has been delivered in the wild using CVE-2013-3346 as a container. Our goal in this blog post is to raise the public awareness by describing the technical details behind this recent kernel zero-day. We've tested the zero day on Windows XP and Server 2003 only.
Just two days ago we announced the discovery of in-the-wild attacks that used the zero-day which is now known as CVE-2013-3897. At that time we also promised to provide a more detailed analysis of the exploit.
Now we have the opportunity to provide a fully and detailed analysis of the vulnerability (CVE-2013-3897) itself that has been used by the attacker, and examine the patterns used by the attacker comparing to the previous zero-day attack (CVE-2013-3893).
Every once in a while we get to peek into the lion’s den, this time we’ll be checking out a fairly large instance of the Pony botnet controller, containing a large amount of stolen credentials and other goodies.
Pony, for those of you who have not yet had the pleasure of encountering it, is a bot controller much like any other: It has a control panel, user management, logging features, a database to manage all the data and, of course, statistics. It also seems to be doing these things right, as it appears to be popping up quite a bit lately.
While many workers around the world were celebrating the May 1st events, the US Department of Labor website got hacked and was used to redirect browsers to a 3rd party site which served a new IE 8 0day exploit, known as CVE-2013-1347. Microsoft already released an advisory about it last Friday.
Apparently, the attackers collected technical statistics on the victims’ browser plugins BEFORE serving them with the IE exploit, for example whether plug-ins from their antivirus product, from Fiddler Proxy or from TamperData are installed. That information is then sent to the aforementioned 3rd party site.
According to a tweet from one of Metasploits’ exploit developers, a module for this CVE will be released soon. Therefore an increase in exploit attempts of this CVE is quite likely.
And to the good news: Trustwave SWG Server (versions 10.1 and higher) blocks this attack out-of-the-box using its generic protection engines, without any further update, thus maintaining good record of blocking the recent 0-day attakcs.
It's been a short while, but we find ourselves again with a Java vulnerability in our hands, this time via a PoC provided by IKVM.NET.
This particular vulnerability is somewhat different than most java vulnerabilities we run into, but feels like a natural progression from the last Java 0day we discussed in our blog (CVE-2013-1493). Both these vulnerabilities allow direct memory manipulation, something which is quite uncommon in Java.
The vulnerability itself has to do with type confusion between an int and a double, causing 8 bytes to be copied instead of 4, thus overwriting a pointer and allowing us to reach otherwise inaccessible area in the memory.
As security researchers, our virtual journey in revealing new threats on the web is never-ending. Every once in a while we come across a curious and interesting web attack. Today’s blog post will tell the story of one such case we’ve encountered recently.
During last week, we ran into what looked like a hacked adult website that redirected browser requests to a web page which served two malicious Java applets. The landing page and the Java applets were recognized as Sweet Orange Exploit kit (thanks to Kafeine):
As you may already know, the past few months have been problematic to Oracle when it comes to security issues discovered in the popular and notorious Java browser plugin. The latest vulnerability that has been spotted to be exploited in the wild is CVE-2013-1493.
It has already been published that CoolEK became the first exploit kit to add an exploit to CVE-2013-1493, so I won’t bother you with the details of that. What’s probably more interesting is the nature of this exploit. Most Java exploits from the past year or two used missing security checks in the Java source code in order to bypass SecurityManager – the part in Java which is responsible to make sure that unsafe code (unsigned code written by 3rd parties) won’t be able to perform certain operations which require elevated privileges. Other exploits used some type confusions or tricked the optimizer into doing the same thing. Yet, in our current case, a memory corruption bug was found which allows the attacker to entirely nullify the SecurityManager.
This is the kind of exploits which are usually found in browsers and other non-sandboxed applications, so it was a little bit of a surprise to see such techniques in Java code.
It's now official, there is another bulletin (MS13-008) release for the month of January and affected Microsoft Windows users should be expecting a out-band security patch soon. This out-of-band security patch fixes one memory corruption vulnerability discovered in Internet Explorer affecting version 6-8 that can result in remote code execution. Any vulnerability that allow remote code execution is critical and it should be patched ASAP.