Posts tagged Microsoft
As announced yesterday, in an advanced notification, Microsoft has release an out-of-band patch MS13-008 to fix the an Internet Explorer 0day , CVE-2012-4792, discovered exploited in targeted attacks against different organizations like Council on Foreign Relations (CFR.org), a foreign policy web group.
This vulnerability was acknowledged by Microsoft, in MSA-2794220, the 30 December, but was exploited in targeted attacks since minimum beginning December. Two weeks after the acknowledge, the patch is out and will fix this vulnerability in Internet Explorer 6, 7 and 8. So just, patch, patch, patch until the next Internet Explorer 0day found exploited in targeted attacks… See you in two or three months.
Microsoft, announcing in an Advanced Notification, will release, this Monday at 10 a.m. PST, an out-of-band security update to address vulnerability CVE-2012-4792, who was actively exploited in the wild targeting different organizations like Council on Foreign Relations (CFR.org), a foreign policy web group. This vulnerability was acknowledged by Microsoft, in MSA-2794220, the 30 December, but was exploited in targeted attacks since minimum beginning December. So, like for Oracle Java 7 Update 11 release, I advise you to patch asap.
During some investigations, associated to a packed version of the September Internet Explorer CVE-2012-4969 vulnerability, I found an unknown exploit targeting Microsoft Internet Explorer. The code was found on CLEAN MX and the evidences was dated of 2011-10-25.
After some researches on Internet, I found a blog post “Internet Explorer Option Element Remote Code Execution” from Ivan Fratric related to CVE-2011-1996 who has similar familiarities with the founded code. Ivan spoke about an PoC but never delivered it.
If you remember CVE-2011-1996 was patched in MS11-081 the 11 October 2011 and details on the vulnerability were provided by Ivan Fratic the 12 October 2011. This vulnerability is affecting Microsoft Internet Explorer 6,7 and 8. So less than 12 days after the release of the Microsoft patch, an exploit was found gathered on Clean MX…
Now since the 9 January, this exploit is now integrated into Metasploit framework as “ms11_081_option” targeting Internet Explorer 8 on Windows XP, Vista and 7. Just enjoy
If you are working in computer security and still don’t have hear about the latest Oracle Java 0day, aka CVE-2013-0422, then you should change you job ! This last Oracle Java 0day was discovered massively exploited in exploit kits by @kafeine the 10th January. Other exploit kits have quickly add support of this new vulnerability, like Gong Da exploit kit.
This new version was discovered on “hxxp://syspio.com/data/m.html” a web site how is actually still online.
“syspio.com” is hosted on 126.96.36.199, in KR and this domain name seem to be associated with a legit compromised web site.
After de-obfuscation of the “m.html” file you can see that Gong Da Pack has involve to the following diagram.
Here under some information s regarding the different files:
- EnKi2.jpg (aka CVE-2011-3544) : 8/46 on VirusTotal.com
- cLxmGk3.jpg (aka CVE-2012-0507) : 11/46 on VirusTotal.com
- OLluRM4.jpg (aka CVE-2012-1723) : 20/46 on VirusTotal.com
- GPUrKz2.jpg (aka CVE-2012-4681) : 29/45 on VirusTotal.com
- PBLO5.jpg (aka CVE-2012-5076) : 12/46 on VirusTotal.com
- Nuwm7.jpg (aka CVE-2013-0422): 6/46 on VirusTotal.com