Microsoft 0-Days: An Explanation and Safety Tips

Microsoft 0-Days: An Explanation and Safety Tips

[Update]: Microsoft has announced it will issue a patch for the newly discovered IE zero day tomorrow as part of the November Patch Tuesday. The vulnerability, now labeled CVE-2013-3918 affects an ActiveX control in Internet Explorer. More details can be found on Microsoft’s website.

Last week we heard about a Windows zero day that allows attackers to remotely execute code by exploiting a specially crafted TIFF file. Researchers found the zero day was used in booby-trapped Word documents containing bogus TIFF images.

The zero day, which has been assigned CVE-2013-3906, is a flaw in a TIFF component that is part of Microsoft Office 2003 through 2010.

To make matters worse, a brand new zero day against Internet Explorer was discovered by security firm FireEye. Based on their analysis, the vulnerability affects IE 7, 8, 9 and 10.

The attack was identified on a US website which appears to have been targeted specifically due to its nature, which according to FireEye “draw{s} visitors that are likely interested in national and international security policy”.

This is not your run-of-the-mill drive-by download. The payload is never actually written on disk since shellcode is injected directly into memory. (Typically, exploits download and run one or more malware binaries from the local hard drive).

Malware that is only resident in memory runs the chance of being unexpectedly terminated if the user shutdown or reboots her machine.

However, this is a small price to pay to make an attack very stealthy and perhaps achieving persistence could be done by reinfecting the user every time she revisits that website.

FireEye said this latest threat ,which installs a Remote Administration Tool (RAT), has ties with a previous one dubbed Operation DeputyDog which targeted Japan.

Microsoft’s November’s Patch Tuesday is just around the corner, but the TIFF vulnerability and this new IE zero day will not get addressed this time around.

However, here’s what you can do right now to protect your systems. Microsoft has released a temporary Fix-it tool for the TIFF exploit here.

Regarding Internet Explorer, it is safer to use a different browser while a patch is released.

But not everyone can do that. Last week the Washington Post reported that “South Korea is stuck with Internet Explorer for online shopping because of security law”.

Certainly these latest threats affecting Microsoft software are set to reignite the fire within the browser wars.

To protect yourself against web or file based exploits, don’t forget to check out Malwarebytes Anti-Exploit which blocks known exploits as well as zero days.

Jerome Segura (@jeromesegura) is a senior security researcher at Malwarebytes.


Jérôme Segura

Principal Threat Researcher