Public release of IE exploit could spark widespread attacks

Exploit module for yet-to-be-patched Internet Explorer vulnerability added to Metasploit

An exploit for a vulnerability that affects all versions of Internet Explorer and has yet to be patched by Microsoft has been integrated into the open-source Metasploit penetration testing tool, a move that might spur an increasing number of attacks targeting the flaw.

The vulnerability is known as CVE-2013-3893 and was announced by Microsoft on Sept. 17 after the company became aware of its use in targeted attacks. The company released a temporary "Fix It" tool that customers can download and install to address the flaw, but no permanent patch has been released through Windows Update.

The vulnerability affects all versions of Internet Explorer and can be exploited to execute arbitrary code on computers when IE users visit a specially crafted Web page hosted on a malicious or compromised website.

Security researchers have issued warnings about ongoing attack campaigns that have been using the vulnerability to target organizations in Japan and Taiwan since late August or even July, according to some reports.

Since August 29, when an exploit for this vulnerability was first detected as part of an attack dubbed "Operation DeputyDog," the exploit was adopted by at least two more APT (advanced persistent threat) groups and used in targeted attacks, according to a new report by researchers from security firm FireEye.

On Monday, exploit developer and Metasploit contributor Wei Chen released a CVE-2013-3893 exploit module for the popular penetration testing tool. Chen noted that the module is based on the exploit code that's already being used by attackers.

The inclusion of the exploit in Metasploit is significant, because while this tool is primarily aimed at security professionals, cybercriminals have made a habit of borrowing exploits from it and using them in their own attacks.

"As long as cybercriminals get access to the exploit code made publicly available we will see instances of the exploit being use by regular cybercriminals and probably we will find the exploit in some of the most famous Exploit Kits," said Jaime Blasco, manager of the research team at security firm AlienVault, Saturday via email. "I'm sure if Metasploit includes this exploit we will see an increase on widespread exploitation."

The exploit kits Blasco refers to are commercial crimeware tools like Black Hole that are available to a large number of cybercriminals and which are generally used in attacks that have a much wider scope than APT campaigns.

It's highly possible that the exploit is already being used as part of such exploit kits, said Metasploit engineering manager Tod Beardsley, Tuesday via email. The exploit used in the new Metasploit module was obtained from existing attacks and there are similarities between it and prior exploits known to be used in such tools.

In particular, the exploit contains system fingerprinting code that's not actually used, which suggests the original author is at least familiar with prior exploits found in exploit packs, Beardsley said.

According to Chen, the junk fingerprinting code appears to have been reused in various exploits since at least 2012.

Microsoft's next batch of security updates is scheduled for Oct. 8, but it's not clear if the company will issue a permanent patch for this particular vulnerability at that time.

Beardsley hopes it will. "The Fix It is effective, so I hope it would be straightforward to patch properly," he said.

Join the PC World newsletter!

Error: Please check your email address.

Tags online safetyMicrosoftsecurityAlienVaultRapid7FireEyeExploits / vulnerabilitiesmalware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Michael Hargreaves

Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?