Public release of IE exploit could spark widespread attacks

Exploit module for yet-to-be-patched Internet Explorer vulnerability added to Metasploit

An exploit for a vulnerability that affects all versions of Internet Explorer and has yet to be patched by Microsoft has been integrated into the open-source Metasploit penetration testing tool, a move that might spur an increasing number of attacks targeting the flaw.

The vulnerability is known as CVE-2013-3893 and was announced by Microsoft on Sept. 17 after the company became aware of its use in targeted attacks. The company released a temporary "Fix It" tool that customers can download and install to address the flaw, but no permanent patch has been released through Windows Update.

The vulnerability affects all versions of Internet Explorer and can be exploited to execute arbitrary code on computers when IE users visit a specially crafted Web page hosted on a malicious or compromised website.

Security researchers have issued warnings about ongoing attack campaigns that have been using the vulnerability to target organizations in Japan and Taiwan since late August or even July, according to some reports.

Since August 29, when an exploit for this vulnerability was first detected as part of an attack dubbed "Operation DeputyDog," the exploit was adopted by at least two more APT (advanced persistent threat) groups and used in targeted attacks, according to a new report by researchers from security firm FireEye.

On Monday, exploit developer and Metasploit contributor Wei Chen released a CVE-2013-3893 exploit module for the popular penetration testing tool. Chen noted that the module is based on the exploit code that's already being used by attackers.

The inclusion of the exploit in Metasploit is significant, because while this tool is primarily aimed at security professionals, cybercriminals have made a habit of borrowing exploits from it and using them in their own attacks.

"As long as cybercriminals get access to the exploit code made publicly available we will see instances of the exploit being use by regular cybercriminals and probably we will find the exploit in some of the most famous Exploit Kits," said Jaime Blasco, manager of the research team at security firm AlienVault, Saturday via email. "I'm sure if Metasploit includes this exploit we will see an increase on widespread exploitation."

The exploit kits Blasco refers to are commercial crimeware tools like Black Hole that are available to a large number of cybercriminals and which are generally used in attacks that have a much wider scope than APT campaigns.

It's highly possible that the exploit is already being used as part of such exploit kits, said Metasploit engineering manager Tod Beardsley, Tuesday via email. The exploit used in the new Metasploit module was obtained from existing attacks and there are similarities between it and prior exploits known to be used in such tools.

In particular, the exploit contains system fingerprinting code that's not actually used, which suggests the original author is at least familiar with prior exploits found in exploit packs, Beardsley said.

According to Chen, the junk fingerprinting code appears to have been reused in various exploits since at least 2012.

Microsoft's next batch of security updates is scheduled for Oct. 8, but it's not clear if the company will issue a permanent patch for this particular vulnerability at that time.

Beardsley hopes it will. "The Fix It is effective, so I hope it would be straightforward to patch properly," he said.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies