Skip to content ↓ | Skip to navigation ↓

The recent Internet Explorer vulnerability (CVE-2013-3893) announced by Microsoft last week is being exploited as part of a targeted attack FireEye is referring to as “Operation DeputyDog”.

“Today, we released a Fix it workaround tool to address a new IE vulnerability that had been actively exploited in extremely limited, targeted attacks.  This Fix it makes a minor modification to mshtml.dll when it is loaded in memory to address the vulnerability. This Fix it workaround tool is linked from Security Advisory 2887505 that describes this issue.  The exploit we analyzed worked only on Windows XP or Windows 7 running Internet Explorer 8 or 9.” Microsoft said.

The attack is reported to be targeting organizations in Japan and throughout Asia and could be the same group who targeted Bit9 suspected as the Hidden Lynx APT group.

“The exploit was attacking a Use After Free vulnerability in IE’s HTML rendering engine (mshtml.dll) and was implemented entirely in Javascript (no dependencies on Java, Flash etc), but did depend on a Microsoft Office DLL which was not compiled with ASLR (Address Space Layout Randomization) enabled,” Microsoft continued.

“The purpose of this DLL in the context of this exploit is to bypass ASLR by providing executable code at known addresses in memory, so that a hardcoded ROP (Return Oriented Programming) chain can be used to mark the pages containing shellcode (in the form of Javascript strings) as executable. This can be seen by the fact that ALL the gadgets used by the ROP chain were contained in hxds.dll.”

Read More Here…