MS13-080 addresses two vulnerabilities under limited, targeted attacks

Today we released MS13-080 which addresses nine CVEs in Internet Explorer. This bulletin fixes multiple security issues, including two critical vulnerabilities that haven been actively exploited in limited targeted attacks, which we will discuss in details in this blog entry.

CVE-2013-3893: the final patch after Fix it workaround

Previously, Microsoft released Security Advisory 2887505 and made available the Fix it workaround 51001 to provide earlier protection to all customers for an actively exploited security issue that was reported to us. Fix it workarounds are examples of the reactive steps that MSRC can take in order to provide earlier protection solutions for customers during active attacks in combination with technologies such as EMET that help make exploitation more complicated for attackers. We have noticed some appreciation of Fix it workarounds across users given the download numbers and we are glad that users are proactively using this type of protection when possible while waiting for the comprehensive update. Today’s bulletin for Internet Explorer addresses this CVE, so we recommend to all customers (with or without Fix it workaround applied) to prioritize the installation of this security update. Customers who decided to install Fix it workaround 51001 can install MS13-080 bulletin at any moment and then remove the Fix it at any time using the uninstaller 51002 (as usual, we remind users that the presence of Fix it does not interfere with security updates and upcoming bulletins).

We are aware that aMetasploit module has been released recently for this CVE, however from the telemetry received from our partners and sensor feeds, the exploitation activity detected at this moment is still limited in nature and specifically is targeting older IE versions (8 and 9) using an ASLR bypass that requires the presence of Office 2007/2010 on the machine.

CVE-2013-3897: the unexpected use-after-free

MS13-080 also fixes a second CVE vulnerability that has been exploited in limited attacks over the web. This issue is a user-after-free vulnerability in CDisplayPointer triggered with “onpropertychange” event handler. This exploit was found cached on a popular Javascript analysis website and reported to us. The exploit code for this issue, released probably around mid-September, uses heap-spray to allocate a small ROP chain around address 0x14141414 and is designed to target only IE8 running on Windows XP for Korean and Japanese language-based users, as showed in the Javascript code snippet below.

We’d like to take this opportunity to thank our valued partners Trustwave, the National Cyber Security Centre of the Netherlands, and Renato Ettisberger from IOprotect GmbH for reporting this vulnerability in a coordinated manner and for collaborating with us. We also decided to provide additional details of the exploit and its payload that will help security vendors and users to strengthen defense against these attacks while the security updates are applied.

NOTE: [x] has been detected being a variable IP range using .153 and .154 values

As observed in both exploits, attackers are able to target previous versions of Internet Explorer on older platforms where all the newest mitigations are not available or not enabled by default. As such, we advise users, to install and use the latest versions of Internet Explorer on modern Windows in order to raise exploitation challenges for attackers and have better defense. For more information about the impact of software mitigations on patterns of vulnerability exploitation, Microsoft released recently a whitepaper that can help to understand the role of software mitigations and exploitation strategies of attackers.

Special thanks to IE team for assembling this fix in record time and Richard van Eeden for help analyzing the root cause of the bugs.

- Elia Florio, MSRC Engineering