Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Mayday! 0-Day

While many workers around the world were celebrating the May 1st events, the US Department of Labor website got hacked and was used to redirect browsers to a 3rd party site which served a new IE 8 0day exploit, known as CVE-2013-1347. Microsoft already released an advisory about it last Friday.

Having a quick look at the in-the-wild exploit code, it can be seen that the exploit creator targeted only victims running IE 8 on windows XP computers, by using Javascript that triggers the exploit based on the user agent. However, the exploit can work with IE8 on other versions of Windows such as Windows 7. The reason for limiting this attack to Windows XP users is currently unknown.

Apparently, the attackers collected technical statistics on the victims' browser plugins BEFORE serving them with the IE exploit, for example whether plug-ins from their antivirus product, from Fiddler Proxy or from TamperData are installed. That information is then sent to the aforementioned 3rd party site.

According to a tweet from one of Metasploits' exploit developers, a module for this CVE will be released soon. Therefore an increase in exploit attempts of this CVE is quite likely.

And to the good news: Trustwave SWG Server (versions 10.1 and higher) blocks this attack out-of-the-box using its generic protection engines, without any further update, thus maintaining good record of blocking the recent 0-day attakcs.