Software

Microsoft Updates November 2013 – Burning the 0day

Microsoft’s November 2013 Patch Tuesday delivers a set of three critical Bulletins and five Bulletins rated “important”. This month’s MS13-088 patches eight critical vulnerabilities and two important vulnerabilities in Internet Explorer. Overall, Microsoft is addressing 19 issues in Internet Explorer, Office and Windows itself.

The star of the show is MS13-090 which addresses CVE-2013-3918, an ActiveX vulnerability being attacked through Internet Explorer, revealed on the 8th by the guys at FireEye to be abused by a long running APT operation they call “DeputyDog”. As a part of this operation, the group strategically popped yet another carefully selected web site, then redirected those visitors to their 0day attack. Simply labelling it “just another watering hole” may not fully describe the amount of planning and preparation that goes into selecting the web site property to compromise, and then burn the 0day on attack activity. The identity of the compromised web property in this case has not been publicly disclosed to date. The timing of this 0day delivery could quite possibly reveal the operational maturity of this group as well. On another note, I don’t know if I missed something, but in my decade or so of reviewing shellcoding techniques, I don’t think that I have ever seen “CreateRemoteThread” used to deliver a payload in a significant exploit.

At the same time, another whopping eight flaws are being fixed in Internet Explorer with MS013-088. No doubt these should be patched by organizations immediately, as the memory corruption issues invite exploit development attention. A few of the eight CVE include issues with “information disclosure”, which enable exploit developers to advance their exploit code further into process space and are serious issues.

Surprisingly, Microsoft is patching code in their WordPerfect converter “wpft532.cnv” for stack overflow issue CVE-2013-1324. This vulnerability enables spearphish attacks across all versions of their OS, but on 64bit platforms, the component may not be present. I didn’t expect to write about stack BoF in their code at the end of 2013, but hey, it’s tricky stuff.

More about this month’s patches can be found at the Microsoft site.

Follow me on Twitter

Microsoft Updates November 2013 – Burning the 0day

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox