Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Threat Level Yellow: Protection recommendations regarding Internet Explorer exploits in the wild

Published: 2013-09-20
Last Updated: 2013-09-21 23:14:18 UTC
by Russ McRee (Version: 2)
7 comment(s)

UPDATE: 21 SEP 2013

FireEye has posted Operation DeputyDog: Zero-Day (CVE-2013-3893) Attack Against Japanese Targets, which describes the campaign they've discovered leveraging the recently announced zero-day CVE-2013-3893. The writeup includes details and samples. Recommending an immediate read here: http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html

-----------------------------------------------

The Internet Storm Center is beginning to see increased evidence of exploits in the wild regarding Microsoft Security Advisory 2887505.  Accordingly, we're moving the InfoCon up to Yellow.

Per the advisory:
Microsoft is investigating public reports of a vulnerability in all supported versions of Internet Explorer. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability in Internet Explorer 8 and Internet Explorer 9. Applying the Microsoft Fix it solution, CVE-2013-3893 Fix It Workaround, prevents the exploitation of this issue. This FixIt solution also includes EMET 4.0 guidance. Certainly consider use of EMET 4.0 where you can.  Please note, the Fix It seems to only help 32-bit versions of browsers. That said the vulnerability affects all versions of Internet Explorer except in instances of Windows Server 2008 and 2012 Core installations.
 
It appears that an exploit has been in the wild since August 29th, 2013 when it was first seen by one of the online security scanners.  There is some indication that a weaponized exploit may be in broader circulation now, so expect this to ramp up quickly.
 
Emerging Threats does have Snort signatures available for this issue: http://www.emergingthreats.net/2013/09/19/daily-ruleset-update-summary-09192013/. Expect Rapid 7 to likely release Metasploit bits in the near term. We'll update here as we see more on this vulnerability emerge.
 
 
 
 
7 comment(s)
Diary Archives