Microsoft Windows IE Vulnerability attacks spotted in the Wild
Dell Sonicwall Threats Research team has found the old Internet Explorer vulnerability(CVE-2013-1347) still getting actively exploited.
This is the same vulnerability exploited in the Department of Labor Attacks earlier this year.
This is a use-after-free condition which occurs when an Object gets deleted but its reference is re-used causing memory corruption thereby allowing arbitrary code execution.
Following is an in-depth analysis of the attack.
Debugging shows successful exploitation of the vulnerability
This page includes payload which downloads a binary which is saved as C:rund11.exe
Another binary is downloaded as shown.
This binary upon execution sends requests to following domains.
Following signatures are already proactively detecting the attack.
- IPS:9470 DOM Object Use-After-Free Attack 2
- IPS:9872 Windows IE DOM Object Use-After-Free (MS13-038) 1
- IPS:9873 Windows IE DOM Object Use-After-Free (MS13-038) 2