With this month’s Patch Tuesday, Microsoft has delivered the patch for the infamous Internet Explorer zero-day (CVE-2013-3893) that has been spotted being used in attacks that date as back as three or four months ago and have been tied to the Chinese hacking group that hit Bit9 earlier this year.
What has received a little less attention is that a patch for another IE zero-day actively exploited in the wild has been released simultaneously: CVE-2013-3897.
“The vulnerability is caused by a ‘use-after-free’ error when processing ‘CDisplayPointer’ objects within mshtml.dll and generically triggered by the ‘onpropertychange’ event handler; the vulnerability could be exploited remotely by attackers to compromise a system via a malicious web page,” Elad Sharf, Senior Security Researcher at Websense, explained in a blog post.
The flaw is being exploited in a series of highly targeted, low-volume attacks in Korea, Hong Kong, and the US, aimed at companies in the finance, engineering and construction, manufacturing and government sectors.
The attack lure pages are located in a network range assigned to the Republic of Korea, and present a consistent URL structure (x.x.x.x/mii/guy2.html). It’s also interesting to note that there are other pages – with the same structure – that serve an exploit for an older IE flaw (CVE-2012-4792) which has been patched a while back.
And while the exploit for the CVE-2013-3897 bug is triggered only by visitors running Windows XP 32-bit with the language set to Japanese or Korean and owners of IE 8, the CVE-2012-4792 exploit doesn’t make any distinctions and targets all visitors.
“Cybercriminals continue to innovate; they find zero-day vulnerabilities and utilize them in low volume targeted attacks, and in parallel they also employ older well-known exploits,” says Sharf. “This is indicative of them having conducted thorough reconnaissance in order to deliver payloads that they believe are likely to succeed.”