CVE-2013-3893 – Internet Explorer Zero-Day Exploited in a Targeted Attack

By Nofar Gueta | September 18, 2013

After receiving reports on its exploitation in the wild, Microsoft is investigating the existence of an Internet Explorer zero-day vulnerability affecting all supported versions. The company is currently investigating the details and working with the information security community in order to monitor the threat and detect the compromised sites.

The vulnerability is a remote code execution vulnerability, which allows the attack to execute arbitrary code as the logged on user. It exists in the way that the browser is accessing deleted or improperly allocated objects. This means that an attacker can leverage this vulnerability by hosting a crafted website and luring the victims to enter it (using a phishing email, for example).

In the attack discovered in the wild, the attacker was targeting Windows XP and Windows 7 machines running Internet Explorer version 8 and 9. The attack was described as “targeted and geographically limited”, and apparently took place in Japan.

“The attacker exploits the vulnerability by setting up a malicious webpage which uses JavaScript code to prepare a use-after-free condition, where previously allocated memory, whose content the attacker can control, is accessed after it has been marked as not used anymore. The exploit depends on a Microsoft Office DLL which has been compiled without Adress Space Layout Randomization (ASLR) to locate the right memory segment to attack, but this DLL is extremely common and most likely will not lower the affected population by much”, according to Qualys.

Microsoft has provided a FixIt solution (“CVE-2013-3893 MSHTML Shim Workaround”, supporting only 32 bit version on Internet Explorer), and for now it is not clear whether the patch will be a part of the periodic update, issued only a week ago, or a separate update.

Cyvera TRAPS was developed to prevent exploitation of software vulnerabilities such as the aforementioned one, without having any prior knowledge of the exploits, and successfully prevents exploitation of this vulnerability as well.