Microsoft: IE Zero-Day Will Be Patched In November Patch Tuesday

[Matsuda]

Microsoft announced this afternoon that the zero-day vulnerability being exploited in a watering hole attack against an unnamed U.S.-based NGO website was already scheduled to be patched in a cumulative Internet Explorer update tomorrow.

The zero-day was reported publicly on Friday by FireEye researchers and today a few more dots were connected on the attack, which is dropping a variant of the McRAT Trojan that has been used in a number of targeted espionage attacks targeting industrial secrets.

Microsoft promised a relatively light Patch Tuesday tomorrow that included another IE rollup, a staple of the company’s monthly security updates in 2013. Dustin Childs, a group manager in the Microsoft Trustworthy Computing group, said today that the vulnerability in an IE ActiveX Control will be patched in MS13-90 tomorrow.

In its advanced notification released last Thursday, Microsoft said the IE bulletin is rated critical because it involves flaws that can lead to remote code execution. The critical rating applies to IE 6-8 on Windows XP, IE7-9 on Vista, IE 8-10 on Windows 7, and IE 10 on Windows 8 and 8.1; all other versions are rated important.

FireEye, today told Threatpost, that the attack is limited to a single U.S.-based website hosting domestic and international policy guidance. No details were available on how the site was compromised, only that the victims were hit by malware in drive-by download attacks targeting an information leakage vulnerability and a memory corruption issue leading to remote code execution.

What differentiates this attack from other watering hole attacks is that victims are not subject to malicious iframes or traffic-redirects to attacker-controlled sites and further malware downloads. Instead, McRAT is injected directly into memory, a new twist on advanced targeted attacks.

By using memory-only methods, the attack is exceptionally difficult for network defenders to detect, when trying to examine and confirm which endpoints are infected, using traditional disk-based forensics methods,” said Darien Kindlund, FireEye director of threat intelligence.

Microsoft said a number of mitigations are available to IE users as a mitigation until a patch is applied, namely setting security zone settings to “High” to block ActiveX Controls and Active Scripting, though users could experience some usability issues. IE can also be configured to prompt a user before running Active Scripting. The Enhanced Mitigation Experience Toolkit (EMET) is also a viable mitigation, Microsoft said.

The IE patch is one of eight bulletins scheduled for tomorrow, three of those rated critical. The scheduled security updates, however, will not include a patch for the Windows TIFF zero day being actively exploited in attacks primarily in Pakistan.

The vulnerability in several Windows and Office versions is being exploited in targeted attacks against Windows XP systems running Office 2007. Microsoft released a Fix-Ittool as a stopgap measure until a patch is released out of band or with the December security updates.

Source

Edited November 11, 2013 by Matsuda

[geeteam]

Over the weekend, the security firm FireEye reported that a zero day bug in many versions of Internet Explorer was already being exploited by attackers. Now Microsoft is taking the unusual move of announcing that the exploit will be fixed as part of its previously revealed plans to release a number of security bulletins today as part of "Patch Tuesday".

Normally, Microsoft does not offer specific information about the security bulletins it will release during "Patch Tuesday" ahead of time so as not to alert hackers. However, because the IE zero day bug is already being used in the wild, Microsoft posted a note on its Security Response Center blog on Monday stating that the exploit, which affects an Internet Explorer ActiveX Control, will be closed as part of the MS13-090 bulletin.

Microsoft also offered some advice for PC users who might be affected by the exploit before the patch is released later today, such as changing Internet and local intranet security zone settings to "High" to block any ActiveX Controls and Active Scripting. It also says that IE can be configured to either prompt or disable Active Scripting.

FireEye previously claimed the bug affects affects versions 7, 8, 9, and 10 of IE that are used with Windows XP and 7 and that it can be used to distribute malware that resides in PC memory. It also claims that the exploit has already infected a major website but did not name the specific URL.

Original Article