The Latest in IT Security

Exploit for June MS Tuesday Vulnerability in the Wild

17
Jun
2011

Symantec Security Response has confirmed that the Microsoft Internet Explorer Time Element Uninitialized Memory Remote Code Execution Vulnerability is being exploited in the wild.

The vulnerability itself affects IE versions 6, 7, and 8. However, the exploit we have acquired seems to only affect version 8. Microsoft has already released patches as part of the MS Tuesday release on June 14, so Symantec advise all users to install the patch.

So far we have only seen limited attacks taking advantage of this vulnerability and believe that the exploit is only being carried out in targeted attacks at present.

The attack we have been able to confirm involves a compromised website hosting content for a neighborhood restaurant. It appears that a duplicate of the top page of the website was either hacked  to  include a hidden iframe tag linking to an exploit page or prepared from scratch, which if run successfully, the shell code included downloads an encrypted malicious file from the same site.  Interestingly, a link to cnzz.com, which is a site that offers statistical analysis, is included in the page to perhaps to give an idea to the attacker how the attack is progessing. The downloaded malware then contacts 323332.3322.org using HTTP protocol and awaits further commands. 3322.org provides a type of dynamic DNS service and is known to be used for various malicious purposes, so it may not be a bad idea to block access to the domain and, if needed, whitelist those subdomains that you may need access to. It's likely that the attacker sends emails to the targets with a link to the website with the intent to steal confidential information, which is a common method used in targeted attacks.

To protect themselves, users should apply the latest patch for this vulnerability. They should also keep all other software on their computer up-to-date as well, including security software. Users should also be cautious when receiving emails with attachments and links they receive from both known and unknown sources.

Symantec detects the exploit as Trojan.Shixploit and the payload has been detected as Backdoor.Trojan since January 2010.

Thanks to Masaki Suenaga and Kazumasa Itabashi for their help analyzing the threat.

Leave a reply


Categories

THURSDAY, AUGUST 05, 2021
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments