[Microsoft]Running in the wild, not for so long

ronjor · Jul 10, 2013

swiat

Over the weekend we received a report from our partners about a possible unpatched Internet Explorer vulnerability being exploited in the wild. The exploit code uses a memory corruption bug triggered from a webpage but it deeply leverages a Flash SWF file in order to achieve reliable exploitation and code execution. The Flash file is made of a sophisticated ActionScript code that allocates certain objects in memory in such a way that they can be corrupted later by the Internet Explorer bug in order to give unsafe access to memory regions to the Flash ActionScript code that will carry on the entire exploitation.

In summary, our analysis of this exploit sample revealed the following:

ASLR is bypassed by the attacker through a use-after-free IE vulnerability that corrupts the size of a Flash Vector<> object and generates the possibility for Flash ActionScript to access memory unsafely and disclose module addresses, including NTDLL base;
DEP is bypassed with a ROP gadget which calls into ntdll!NtProtectVirtualMemory in order to change protection of non-executable memory pages to executable;
Click to expand...

https://blogs.technet.com/b/srd/arc...the-wild-not-for-so-long.aspx?Redirected=true

Gullible Jones · Jul 10, 2013

ASLR/DEP bypass in the wild? Nice.

Good to see that EMET handles this one at least. Now tell me, why again hasn't MS integrated EMET into a control panel somewhere?

elapsed · Jul 11, 2013

It was patched with this months updates, though it's saying that anyone with EMET enabled on IE would have been safe even without the patch.

ance · Jul 12, 2013

Gullible Jones said:

Now tell me, why again hasn't MS integrated EMET into a control panel somewhere?
Click to expand...

I think they don't want ordinary Joe to activate EMET (because of possible incompatibilities with other software).

HeapSpray (also effective for EMET 3.0)
Click to expand...

Does it mean EMET 3.0 is useless in this case?

elapsed · Jul 12, 2013

laris said:

Does it mean EMET 3.0 is useless in this case?
Click to expand...

No, it means EMET 3.0 supports that mitigation.

siljaline · Jul 13, 2013

Targeted attacks exploit now-patched Windows bug revealed by Google engineer.
http://www.computerworld.com/s/arti...tched_Windows_bug_revealed_by_Google_engineer

Article cites: http://blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx

siljaline · Jul 13, 2013

Most folks should have MS13-055 installed, if they were correctly patched as per: http://technet.microsoft.com/en-us/security/bulletin/ms13-jul

Log in or Sign up

[Microsoft]Running in the wild, not for so long

ronjor Global Moderator

Gullible Jones Registered Member

elapsed Registered Member

ance formerly: fmon

elapsed Registered Member

siljaline Registered Member

siljaline Registered Member

Log in or Sign up

[Microsoft]Running in the wild, not for so long

ronjor Global Moderator

Gullible Jones Registered Member

elapsed Registered Member

ance formerly: fmon

elapsed Registered Member

siljaline Registered Member

siljaline Registered Member

Useful Searches