"The biggest surprise from this month’s advisories is that Microsoft has addressed not one but two critical Internet Explorer zero-days," comments Craig Young, a security researcher at Tripwire. "These fixes should be the highest priority for patch deployment since both of these issues are being exploited in the wild."
But, "There will be one thought on IT teams minds today," adds his colleague and technical manager of security research, Tyler Reguly: "Where did this second IE zero-day come from and why haven’t we heard about it?"
Well, it came via Trustwave who seem to have been the first to discover it. "Through collaboration with the Microsoft Security Response Center (MSRC) Team," it announced in a new SpiderLabs blog yesterday, "we confirmed that the new zero-day (CVE-2013-3897) has been in the wild for a month (the new CVE-2013-3897 and the previous zero-day CVE-2013-3893)."
But Trustwave wasn't alone. The Sourcefire vulnerability research team (VRT) also talked about vulnerability CVE-2013-3897 yesterday in what seems to have been an unconnected discovery. "A little over a week ago the VRT discovered a very interesting bit of javascript on a popular JS unpacker site," it says. This ultimately turns out to be the same vulnerability. "Even before a MS advisory appeared for this use-after-free vulnerability the VRT released coverage in the form of a TRUFFLE rule," an obfuscated Snort rule that doesn't reveal the vulnerability in plaintext.
Trustwave meantime took the official route and liaised with Microsoft. "We’d like to take this opportunity to thank our valued partners Trustwave, the National Cyber Security Centre of the Netherlands, and Renato Ettisberger from IOprotect GmbH for reporting this vulnerability in a coordinated manner and for collaborating with us," said Microsoft in its TechNet blog.
While VRT found it on a JS unpacker site, Trustwave had already found it, Ziv Mador, Trustwave's director of security research told Infosecurity, while "monitoring a server that was hosting exploits and malicious content in the past." Mador also explained that this vulnerability could not be mitigated with a Fix it, but that Microsoft "confirmed that it was a 0-day and that they were going to patch it in yesterday’s Patch Tuesday."
Although there are some apparent similarities between the two exploits (timing and geography), Mador told Infosecurity, "There is no direct relationship as far as we can tell. One of them was a targeted attack while the later one came to distribute general malware." The first is a memory corruption vulnerability while the second is a use after free vulnerability. "The zero-day campaign seems to have launched in the first half of September 2013 targeting Japanese and Korean users," notes the Trustwave blog.
One interesting feature is that while use of the new vulnerability seems to be targeted against Korean and Japanese users, the payload observed by Trustwave is less targeted. "It attempts to disable any security products that may be running on the victim machine, redirects banking sites to a malicious IP address and tries to steal credentials for popular on-line games," writes the firm. "The various techniques used indicate that this payload is not meant for any targeted scenario but instead will simply try to target any Korean or Japanese users it stumbles upon." Mador also told Infosecurity that the payload is new. "The specific malware which was used in 3897 has never been seen prior to this attack."