Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

CVE-2012-4792 tagged in these posts

Zero-Day Attack for Internet Explorer (CVE-2013-3897) Goes High Profile

Posted: 09 Oct 2013 03:26 AM | Elad Sharf | no comments

Websense® Security Labs™ has seen a new zero-day exploit for Internet Explorer (CVE-2013-3897) used in highly targeted, low-volume attacks in Korea, Hong Kong, and the United States, as early as September 18th, 2013. The publication of the vulnerability details ( CVE-2013-3897 ) were shared by Microsoft in advance of today's patch for the vulnerability that is now available for download. Websense ThreatSeeker ® Intelligence Cloud was able to correlate those attacks and create a profile about targeted geographical locations where attacks began as well as targeted industries, which will be described later in this post. In addition, we found the targeted attacks that utilized the exploit for CVE-2013-3897 also included older exploits in their attacks like CVE-2012-4792 for certain targets. Executive Summary Websense ThreatSeeker Intelligence Cloud has seen a new zero-day exploit for Internet Explorer ( CVE-2013-3897 ) used in highly targeted, low-volume attacks in Korea, Hong Kong, and the United States, as early as September 18th, 2013. Websense telemetry indicates that the attack campaign using the same infrastructure and the exploit (CVE-2012-4792) began as early as August 23rd 2013 before transitioning to CVE-2013-3897 in mid-September A patch has been supplied by Microsoft and is available for download. Microsoft took this opportunity to patch a previous vulnerability for Internet Explorer CVE-2013-3893 . The patch for both vulnerabilities can be found at this link: ms13-080 . Our ThreatSeeker Intelligence Cloud reported that the attacks targeted primarily financial and heavy industries in Japan and Korea. Our telemetry shows that the actors behind these attacks used their infrastructure to launch older exploits for Internet Explorer, such as CVE-2012-4792 , which was first seen at the start of 2013. Websense has protected our customers from the recent Microsoft Internet Explorer CVE-2013-3897 and CVE-2013-3893 exploits observed in the wild by using real-time analytics that have been in place for nearly three years. Vulnerability Details for CVE-2013-3897 The vulnerability is caused by a "use-after-free" error when processing "CDisplayPointer" objects within mshtml.dll and generically triggered by the “onpropertychange” event handler; the vulnerability could be exploited remotely by attackers to compromise a system via a malicious web page. The specific exploit that has been seen uses heap-spray to allocate some memory that employs an ROP technique around the 0x 14141414 address (as confirmed by the Microsoft Security Response Center). A sample of one of the specific exploit pages that has been spotted in the wild shows Javascript code that appears to target Microsoft Windows XP 32-bit with these languages: Japanese or Korean and Internet Explorer 8. The attacks were served by directly browsing to raw IP addresses and were spotted served by selected IP addresses in the network range of 1.234.31.x...


Filed under: , , , , ,

The CVE-2012-4792 and the Spear-Phishing Rotary Domains (Part 2)

Posted: 05 Feb 2013 10:00 AM | Gianluca Giuliani | no comments


In the previous part of our report, we analyzed  the malicious content detected in the domain "rotary-eclubtw.com". We detected the exploitation code for the vulnerability CVE-2012-4792 and analyzed the Flash file which was used to contain the heap spray code and the shell code. In this part we are going to show some of the details that we extracted from the shell code and from behavioral analysis of the malware installed after a successful exploiting attempt. We have also added some details related to the domain name using the WHOIS records and internal data.


Why are waterhole attacks occurring? What is the attackers' objective, both here and in other cases? As we learned from this analysis, the malware is used to steal files from compromised computers, while also enabling monitoring of the user's emails and other activities. We also found suspicious ties to sites potentially targeting high technology suppliers, perhaps in Taiwan. Read on for details of the attack.




Filed under: ,

The CVE-2012-4792 and the Spear-Phishing Rotary Domains (Part 1)

Posted: 31 Jan 2013 01:20 AM | Gianluca Giuliani | no comments


Thanks to our ThreatSeeker® technology, it has been possible to detect a domain which we believe is involved in a spear phishing campaign against the users of a Rotary Club online service.  The Rotary Club (also called Rotary International) is an organization that provides humanitarian services, encourages high ethical standards in all vocations, and promotes charity actions. Since the Rotary Club is a worldwide organization, each country has a number of  local "clubs" for each region and they have also established an online service called  "Rotary eClub".  


Specifically, we discovered another attempt to exploit the Internet Explorer vulnerability CVE-2012-4792, which was discovered in a "water holing" attack against the USA Council of the Foreign Relations Web site (http://www.cfr.org). The results of our analysis were in accordance with those reported in this blog: apparently another worldwide campaign against several organizations which have in some way attracted the interest of the attackers due to the specific audiences for their sites. In this first part of the analysis, we will report our investigation into the obfuscated code and the exploit code detected. In the second part, we will present the analysis of the unusual mechanism implemented in the shellcode that runs the malware which is installed if the exploit is successful. We will also look at some details of the malware behavior and expose some details behind the involved domains and the infrastructure of this attack.  


The suspicious domain in our analysis is "rotary-eclubtw.com", which has apparently been registered to target the Taiwanese users of the Rotary eClub service as shown in the following screenshot:






Filed under:

Happy New Year and Unhappy New IE Zero-Day! (CVE-2012-4792)

Posted: 02 Jan 2013 06:28 AM | Carl Leonard | no comments

Firstly, welcome to 2013 and we trust that you had a happy holiday period. As is to be expected, holidays or not, there is no rest for the wicked (be that attacker or defender) and therefore we kick off our 2013 blog with details of CVE-2012-4792, an Internet Explorer zero-day vulnerability.


The Websense® ThreatSeeker® Network has already detected instances of this vulnerability being exploited in the wild, unsurprising given that the exploit is publically available as a Metasploit module, and therefore it is likely that attacks will continue to gain traction.




Filed under: , ,