A new vulnerability found in Microsoft Internet Explorer affects Internet Explorer version 8.  The vulnerability allows attackers to execute code on a machine by just having the user visit a malicious website. This can happen, for example, when the user is tricked into clicking a link in an email or via compromised legitimate websites, such as the recently compromised Department of Labor website, which was subsequently used in a water hole attack. Malicious payloads delivered from this compromise were confirmed by Microsoft to exploit the new vulnerability, designated CVE-2013-1347.

The vulnerability itself lies in the way that Internet Explorer accesses an object that has been deleted or not properly allocated. This vulnerability has now been listed by Metasploit, which means it is available publicly, and we anticipate that we'll soon see this Internet Explorer vulnerability used in broader attacks.

More information about the vulnerability can be found in Microsoft Advisory 2847140.

How Does Websense Protect You?

Websense customers are protected with ACE™, our Advanced Classification Engine.

ACE is able to protect from all known samples (at a URL level and with real-time analytics).  We have also examined the sample code from Metasploit and added protection for that and any subsequent variations.

If we correlate this attack to the 7 Stages of Advanced Threats (as explained in our whitepaper), we currently have protection for:

• Stage 2 (Lure) - the website involved in the water hole attack
• Stage 3 (Redirect) - the websites that take the user to the delivery of the exploit code
• Stage 4 (Exploit Kit) - we have real-time detection of the exploit code
• Stage 6 (Call Home) - we offer protection from the websites used as a Command & Control
• Should the malware author's attack be sucessful, our customer's would be protected from Stage 7 (Data Theft) through the use of our data loss prevention tools.

As a member of the Microsoft Active Protection Program (MAPP), we are also working with Microsoft to monitor this situation.

[Update]

Thursday, May 9, 2013:

Microsoft have released a  "Fix it" solution for CVE-2013-1347), however keep in mind that a Fix it solution isn't going to be as strong as a full patch solution.

Were you aware that Java is increasingly being viewed as a security risk? Of course you were — recent high-profile attacks have firmly established the trend, so we're not going to do yet another roundup here.

Instead, let's drill in and try to understand the core problem. With so many vulnerabilities, it's hard to keep browsers up to date with the latest patched versions — especially because Java is updated independently from the browser. How hard is it? We decided to check.

We recently added Java version detection to our Advanced Classification Engine (ACE™) and pumped it into the Websense ThreatSeeker® Network to get real-time telemetry about which versions of Java are actively being used across tens of millions of endpoints. Here's what we found (you may need to click on the graph to see all the detail):

Figure 1: Global distribution of Java Runtime Environment versions based on active browser usage

As you can see, Java versions are all over the map. At the time of this writing, the latest Java Runtime Environment is 1.7.17, but only about five percent of the overall mix are using it. Most versions are months and even years out of date. How does this translate into the attack space?  

Exploit kits are a very common tool for distribution of many Java-based threats. From the billions of daily web requests being classified through our network, here is the breakdown of the active browser requests that are exploitable and which exploit kits have incorporated attacks for them.

Java Vulnerability  Vulnerable Versions**  Vulnerable   Exploit Kits With Live Exploits

CVE-2013-1493            1.7.15, 1.6.41                  93.77%         Cool 

CVE-2013-0431            1.7.11, 1.6.38                  83.87%         Cool

CVE-2012-5076            1.7.07, 1.6.35                  74.06%         Cool, Gong Da, MiniDuke

CVE-2012-4681            1.7.06, 1.6.34                  71.54%         Blackhole 2.0, RedKit, CritXPack, Gong Da

CVE-2012-1723            1.7.04, 1.6.32                  67.72%         Blackhole 2.0, RedKit, CritXPack, Gong Da

CVE-2012-0507            1.7.02, 1.6.30                  59.51%         Cool, Blackhole 2.0, RedKit, CritXPack, Gong Da

** All prior JRE versions below those listed are also vulnerable

It is probably no surprise that the largest single exploited vulnerability is the most recent one, with a vulnerable population of browsers at 93.77%. That's what the bad guys do — examine your security controls and find the easiest way to bypass them. Grabbing a copy of the latest version of Cool and using a pre-packaged exploit is a pretty low bar to go after such a large population of vulnerable browsers. Most browsers are vulnerable to a much broader array of well-known Java holes, with over 75% using versions that are at least six months old, nearly two-thirds being more than a year out of date, and more than 50% of browsers are greater than two years behind the times with respect to Java vulnerabilities. And don't forget that if you're not on version 7 (which is 78.86% of you), Oracle won't be sending you any more updates even if new vulnerabilities are uncovered.

How do you stop the onslaught if the patches aren't keeping up? Given the complexity and dynamism of exploit kits and their updates, exploit signatures do not suffice. Our protection model against new Java exploits is to use our analytics and real-time telemetry to proactively intercept new instances at every step of their attack strategy. Most prominently, ACE covers the exploit kit/exploit phase with a fine-grained knowledge of the expressible threats from all of the major kits, including not just the vulnerabilities, but also the obfuscation techniques, redirection techniques, and re-packaging of their dropper files. Here are just a few other ways we interrupt the malware kill chain to make it harder for the bad guys to drive right through this sizable hole in current IT infrastructure:

• Real-time intelligence to block lures, phishing, and other forms of social engineering coming across web, email, and mobile platforms
• Real-time inbound intelligence to identify known or suspicious malware destinations and compromised sites 
• Real-time outbound intelligence to identify command and control communication, bot networks, dynamic DNS requests, and fingerprinted data headed to the wrong people or places
• Identifying malicious droppers both statically and behaviorally (via Websense ThreatScope™) 

It's clearly not just the zero-day attacks that should be getting all of the attention.

The 2013 Threat Report from the Websense® Security Labs™ is now available.

The report details mobile, social, email and web-based threats, and while it is full of ominous data points, it is a very interesting read. The report is designed to help security professionals keep current with threat trends and improve the effectiveness of existing security solutions. It can also be used to identify and prioritize security gaps that may require new approaches and more innovative strategies.

Creating the report began with the Websense ThreatSeeker® Network, composed of big data clusters used by the WSL to collect and manage up to 5 billion inputs each day from 900 million global endpoints. Malware samples, mobile applications, email content, web links and other information were then passed through deep analysis processes including Websense ACE (Advanced Classification Engine), which applied over 10,000 different analytics.

Here is a sampling of key findings from this year's report:

1. Web Security. The web became significantly more malicious in 2012, both as an attack vector and as the primary support element of attacks originating through social media, mobile devices, and email. Researchers measured an alarming 600 percent increase in the use of malicious web links through all vectors.
2. The Social Web. Malicious content was hidden within social media behind shortened web links 32 percent of the time. Social media attacks took advantage of the confusion of new features, changing services and unsophisticated users.
3. Mobile Security. A study of last year's malicious apps revealed how they often abuse permissions; especially in the use of SMS communications, something very few legitimate apps do. Risks also increased as mobile devices were used for social media and web surfing more often than actually making a phone call.
4. Email Security. Only 1 in 5 emails sent were legitimate, as spam increased to 76 percent of email traffic, and 92% of spam included links to potentially malicious content. Phishing threats delivered via email also grew.
5. Malware Behavior. Forensic analysis identified that registry modification behavior in malware has declined to 7.7%. Once a key indicator of malicious behavior, malware has now become increasingly Internet-connected. Half of all malware that used the Internet for communications and downloaded additional malicious executables to extend their attack capabilities in the first 60 seconds.
6. Data Theft. Key changes in data theft targets and methods took place last year. Reports of intellectual property (IP) theft increased, and theft of credit card numbers and other Personally Identifiable Information (PII) continued to grow. Hacking, malware and other cyber-threats continued to be common methods of attack. However, some of the largest thefts involved physical penetration of security as well, often by willful employees.

Because today's attacks occur in multiple stages through numerous vectors, the report includes an appendix on The Seven Stages of Advanced Threats. This methodology for analyzing and classifying cyber-attacks provides a useful framework for organizations to assess their current defenses against their security profile, identify weaknesses and develop a more comprehensive strategy for withstanding next-generation attacks. A summary of the Websense 2013 Security Predictions report is also included for planning purposes.

Click for a video introduction or download a copy of the 2013 Threat Report.

Websense Security Labs™ is following reports that a new Java zero day vulnerability (CVE-2013-0422) is being exploited in the wild by exploit kits. Early this morning, a researcher who goes by the handle Kafeine disclosed that he has started seeing exploits of a new Java vulnerability appearing in multiple exploit kits in the wild. Following up on his post, we have confirmed that we are protecting against the landing pages of these exploit kits with Websense ACE (Advanced Classification Engine) technology.  The landing page is the first thing that loads in an exploit-kit-based attack. It's used to scan clients for vulnerabilities and send the appropriate exploits. This is one of the seven stages of an attack that you can read about here. The kits identified as using this zero day code so far are Cool Exploit Kit, Blackhole Exploit Kit, Red Kit, and Nuclear Exploit Pack.

Snippet of POC code:

The fact that exploits of this vulnerability were found in the wild and in exploit kits is huge. It's common knowledge that exploit kit developers don't typically write exploits on their own. In fact, exploit kit authors typically copy and paste code to include exploits in their packs. Since this exploit is already in exploit kits, it could spread very rapidly to other kit authors who are anxious to get a zero day in their code.  A zero day in exploit kits means a higher success rate for "loads" of malicious binaries, and therefore adds lots of value to the kit. Because this vulnerability is in Java, there's also a possibility that it could be applied to client platforms like Mac OS and Linux, as well as Windows.

This makes two web-based vulnerabilities in the wild in less than a month. It's a dangerous time to be on the web.  We strongly encourage that Java be removed from client computers. If that's impossible due to proprietary applications, please use a separate browser with Java enabled for required applications only.  Your every day browser can handle web surfing just fine without Java enabled. As for the current IE zero day, there is a  "Fix It" solution available from Microsoft, however keep in mind that a fix it solution isn't going to be as strong as a full patch solution.

Update:

Oracle has pushed out an update for the Java vulnerability which is available here.

Microsoft has also published a Out Of Band patch for CVE-2012-4792, which you can read more about here.

First, welcome to 2013 and we trust that you had a happy holiday period. As is to be expected, holidays or not, there is no rest for the wicked (be that attacker or defender) and therefore we kick off our 2013 blog with details of CVE-2012-4792, an Internet Explorer zero-day vulnerability.

The Websense® ThreatSeeker® Network has already detected instances of this vulnerability being exploited in the wild, unsurprising given that the exploit is publicly available as a Metasploit module, and therefore it is likely that attacks will continue to gain traction.

Websense customers are protected from this threat by Websense ACE (Advanced Classification Engine).

The vulnerability, as recently announced in Microsoft Security Advisory 2794220, affects users of Microsoft Internet Explorer versions 6, 7, and 8 and could allow attackers to remotely execute code on vulnerable machines by simply having the victim visit a malicious website.

As seen countless times in the past, typical tactics for enticing victims to visit these malicious sites often include tricking them into clicking links in fake emails, or simply compromising legitimate websites to serve malicious payloads to their unsuspecting visitors.

This particular vulnerability is caused by how Internet Explorer accesses an object in memory that has been deleted or improperly allocated. Exploitation can then result in memory corruption, which in turn could allow an attacker's own code to be executed within the context of the current user, or as if it was being run by that user.

At this time, Microsoft has not released a patch in order to address this vulnerability. However it has provided an easy one-click 'Fix It' solution. Internet Explorer versions 9 and 10 are listed as not being vulnerable.

Websense Security Labs™ are continuing to monitor this situation and, as a member of the Microsoft Active Protection Program (MAPP), are working with Microsoft in order to provide the best protection to our customers.

Update:

Microsoft has issued an Out Of Band update for CVE-2012-4792, which you can read about here.

Yesterday, Adobe released a Security Advisory warning about a vulnerability in Adobe Reader and Acrobat. Adobe rated this vulnerability "critical," because it may allow an attacker to execute code remotely and take control of an affected system. Adobe is currently working on a fix and planning to roll that fix out next week for the 9.x versions of its software for Windows. Because Adobe Reader X and Adobe Acrobat X have a sandboxing mechanism called Protected View, these versions will not allow code to be executed remotely. So for these newer X versions of the affected software, Adobe will issue a fix in its next quarterly update, currently scheduled for January 10, 2012. Adobe lists Protected View as a way to safeguard your system against this threat. Please be sure to use the X version of Adobe software and verify that Protected View is enabled. The Mitigations section of the Adobe Security Advisory explains how to do this for the X versions.

Websense Security Labs™ is aware of reports that this vulnerability has been used in the wild. We have updated our Advanced Classification Engine, ACE,  to help protect against and look for any other possible attacks in the wild.

With the popularity of the WordPress blogging platform, security researchers here at Websense® Security Labs ™ are sure to sit up and take note of any reported zero-day threats affecting the platform itself or the plugins used by blog masters.

Recently, we saw a post by Mark Maunder of technology company, Feedjit, where he noticed a compromise occurring due to a WordPress plugin. The danger was this was a zero-day issue affecting a popular image re-sizing tool often used within WordPress.  That was on August 1.

Sure enough, just one week after this initial warning, our ThreatSeeker® Network began to see code injected into WordPress Web sites.  At first we saw the injected domain name hxxp://superpuperdomain.com/ injected at the foot of compromised WordPress blogs.  This code appears to have been delivering advertisements to end users via redirects to search engines.

Last Friday, we saw a slight adaptation within the injected code. This time, browsers to compromised sites led to the domain hxxp://superpuperdomain2.com/, which seemingly was a placeholder for more nefarious malicious activity. Websense customers are protected with ACE, our Advanced Classification Engine.

Interestingly, over the weekend, we saw the number of injections leading to the first URL decrease as the use of the second URL ramped up on August 12, as the chart below shows:

This course of events is fairly typical in the life of a zero-day vulnerability. As the issue becomes known, developers rush to fix the vulnerability. In the meantime, malware authors seek to launch attacks on vulnerable websites and deliver variations of attack code to bypass security products.  In this case, we saw peaks of 10,000 WordPress-running Web sites infected with the code.

The research team over at Sucuri Security also noticed the same over the weekend. Their blog is here.

If you are running WordPress on your blog and want to find out more about TimThumb and how to get the latest version, you should take a look at the TimThumb Project page.

Today Adobe announced a new 0-day vulnerability (CVE-2011-0611) in Adobe Flash Player and Adobe Acrobat that, similar to the previous 0-day from less than a month ago, was found embedded in a Microsoft Office file. The vulnerability allows an attacker to execute malicious code on a computer and has been spotted in limited targeted attacks. Websense customers are protected against the known samples that use this vulnerability.

Adobe says in their security advisory that Adobe Acrobat Reader X and its new Sandbox feature prevent the attack from exploiting the system when using PDF files. However, since the vulnerability exists in Flash, a machine can be exploited in other formats and applications that support flash, such as Web pages and Office documents.

The vulnerability has only been seen used in very limited targeted attacks. Here is a VirusTotal report (1/43) of one reported attack file.

Adobe hasn't announced when they will release a patched version of Adobe Flash and Adobe Reader/Acrobat but they did say that they won't fix this until June 14 in Adobe Reader X, as the Sandbox feature prevents the attack.

Websense® Security Labs™ has received reports of a new zero-day exploit that targets Adobe Flash Player (CVE-2011-0609). The vulnerability can potentially allow an attacker to execute malicious code on a targeted machine and has been spotted in a limited number of targeted attacks. The targeted attacks employed an Excel file with an embedded vulnerable Flash file (.swf) with the aim of executing unsolicited malicious code on the targeted machines.

The security advisory released by Adobe marks the vulnerability as "critical" and it affects all the latest versions of Adobe Flash Player. The vulnerability also exists in Adobe Acrobat Reader and Adobe Acrobat Reader X as the vulnerable DLL file "authplay.dll" is also shipped with those versions. However, Adobe Acrobat X can mitigate this kind of vulnerability from executing, thanks to its sandbox functionality - so in that respect, it's highly recommended to upgrade to that version if possible.

Adobe plans to patch this vulnerability with an update to Flash Player that will be available for all platforms on the 21st of March.

Currently, we're not seeing any wide-spread attacks in the wild that utilize this vulnerability, much of that is because the exploit details aren't publicly disclosed, but we're monitoring the situation and will keep you updated as related events unfold.

System administrators and security experts are focusing on Patch Tuesday every month (also known as Microsoft Black Tuesday or MS Tuesday). This time Microsoft patched many important vulnerabilities, but have they fixed all currently known zero days? Let's find out.

This time, on February 8th, Microsoft released 12 security bulletins fixing various vulnerabilities, including three critical ones. Possibly the most important is the 0-day found recently in the Graphics Rendering Engine (GRE) and another 0-day that affects the Cascading Style Sheet (CSS) handler in Internet Explorer. The software giant also fixed a critical vulnerability in their OpenType Compact Font Format (CFF) driver. 

A further 9 important bulletins were also included in this update, therefore it is highly recommended that users update all servers and workstations to avoid becoming a victim of an online crime.

Some of the vulnerabilities included in this Tuesday Patch can be remotely exploited, while others need local access to the computer by the attacker. As the cyber criminal does not need to physically meet the victim for a remote exploit, a user is more vulnerable to this type of attack. Websense ThreatSeeker Network detects thousands of compromised Web sites every day, leading to one of these malicious sites which then exploits unpatched vulnerabilities and gains full access to the unaware user's computer.  Websense Security Gateway and Websense Hosted Services are protecting customers against this type of attack; however, it is very good practice to keep servers and workstations up to date.

The bulletins and vulnerabilities in detail:  

Three critical vulnerabilities have been patched:

• MS11-003: Cumulative update which fixes four vulnerabilities in Internet Explorer. These vulnerabilities could allow an attacker to run any code on a computer without the user's consent while browsing a malicious or compromised Web site. The four vulnerabilities include:
  • CVE-2010-3971 - CSS Memory Corruption Vulnerability (0-day)
  • CVE-2011-0035 - Uninitialized Memory Corruption Vulnerability
  • CVE-2011-0036 - Uninitialized Memory Corruption Vulnerability
  • CVE-2011-0038 - Internet Explorer Insecure Library Loading Vulnerability

• MS11-006: Fixes a full disclosed critical vulnerability in Graphics Rendering Engine (GRE) in many Windows versions, including Windows XP, Server, and Vista. The vulnerability could allow an attacker to execute arbitrary code on a computer while the user is viewing a specifically-crafted thumbnail image. See this blog for further details. The following vulnerability has been patched:
  • CVE-2010-3970 - Windows Shell Graphics Processing Overrun Vulnerability (0-day)

• MS11-007: Security update for a non-disclosed vulnerability in the Compact Font Format (CFF), which affects Windows versions, including Windows XP, Server, and Windows 7. The vulnerability could allow an attacker to execute arbitrary code on a computer while the user is viewing content which includes a specifically-crafted OpenType font. The following vulnerability has been patched:
  • CVE-2011-0033 - OpenType Font Encoded Character Vulnerability

Nine non-critical, but important security patches:

• MS11-004: This bulletin patches a vulnerability in Microsoft Internet Information Services (IIS) FTP Service, which could allow an attacker to execute a code on the FTP server using a malicious FTP command. Since FTP Service is not installed by default on IIS, this update was categorized as "Important" only. The following vulnerability has been patched:
  • CVE-2010-3972 - IIS FTP Service Heap Buffer Overrun Vulnerability (0-day)

• MS11-005: This is a security update for the vulnerability found in Active Directory. The vulnerability could allow a cyber criminal to attack an Active Directory server causing Denial of Service, however, the attacker needs to join their domain first and must have administrator privileges on that domain. Because of this, this vulnerability is not critical.
  • CVE-2011-0040 - Active Directory SPN Validation Vulnerability

• MS11-008: This bulletin resolves two non-disclosed vulnerabilities in Microsoft Visio. The vulnerability could allow an attacker to execute arbitrary code on the computer while the user is viewing a specifically crafted Visio file. The following vulnerabilities have been patched:
  • CVE-2011-0092 - Visio Object Memory Corruption Vulnerability
  • CVE-2011-0093 - Visio Data Type Memory Corruption Vulnerability

• MS11-009: This one fixes a non-disclosed vulnerability in the JScript and VBScript Scripting Engines. The vulnerability could allow an attacker to gather information from the user's computer while the user is visiting a malicious Web site. A typical trick to get a user to visit one of these Web sites is sending a spam or phishing e-mail with the link. The following vulnerability has been patched:
  • CVE-2011-0031 - Scripting Engines Information Disclosure Vulnerability

•  MS11-010: Another non-disclosed vulnerability which affects the Microsoft Windows Client/Server Run-time Subsystem (CSRSS) in Windows XP and Windows Server 2003. This vulnerability could allow a criminal an Elevation of Privilege type of attack on a local computer by retrieving sensitive logon information from the user while they are logging on and off. Doing this, an attacker could gain privileges from other users including the administrator. The following vulnerability has been patched:
• CVE-2011-0030 - CSRSS Elevation of Privilege Vulnerability

•  MS11-011: This is a cumulative update correcting two different vulnerabilities. Both of them could allow a criminal an Elevation of Privilege type of attack on a local computer by running a specifically-crafted application. The following vulnerabilities have been patched:
  • CVE-2010-4398 - Driver Improper Interaction with Windows Kernel Vulnerability
  • CVE-2011-0045 - Windows Kernel Integer Truncation Vulnerability

• MS11-012: This cumulative update fixes another Elevation of Privilege type of vulnerability, where the attacker could gain privileges from other users including the administrator. For this the attacker needs to be able to log on to the computer and run a specifically-crafted application. The following vulnerabilities have been patched:
  • CVE-2011-0086 - Win32k Improper User Input Validation Vulnerability
  • CVE-2011-0087 - Win32k Insufficient User Input Validation Vulnerability
  • CVE-2011-0088 - Win32k Window Class Pointer Confusion Vulnerability
  • CVE-2011-0089 - Win32k Window Class Improper Pointer Validation Vulnerability
  • CVE-2011-0090 - Win32k Memory Corruption Vulnerability

• MS11-013: This bulletin patches Windows Kerberos.  The vulnerability could allow a cyber criminal to attack and forge service tickets in Kerberos server, gaining privileges from other users including the administrator. However, the attacker needs to join their domain first and must have administrator privileges on that domain. Because of this, this vulnerability is not critical. The following vulnerabilities have been patched:
  • CVE-2011-0043 - Kerberos Unkeyed Checksum Vulnerability
  • CVE-2011-0091 - Kerberos Spoofing Vulnerability

• MS11-014: This non-disclosed vulnerability is a yet another Elevation of Privilege type, that affects the Local Security Authority Subsystem Service (LSASS) in Windows XP and Windows Server 2003. The vulnerability could allow an attack on a local computer by running a specifically-crafted application on it. For this the attacker first needs valid credentials to be able to log on to the computer and run applications. The following vulnerability has been patched:
  • CVE-2011-0039 - LSASS Length Validation Vulnerability

As we have seen a couple of times in previous MS Tuesday bulletins, once again we have a very important security patch set. It contains many critical and high severity fixes, resolving many vulnerabilities used by ongoing attacks actively. WebsenseLabs therefore highly recommends applying the patches as soon as you can to improve immunity against these kinds of strikes.