IE 0-day: exploit code is now widely available (CVE-2013-3893)

Blog Post created by rbarrett Employee on Sep 24, 2013

Any newly discovered Internet Explorer zero day vulnerability is bad for users. But once the exploit code gets around to public disclosure sites, it's so much worse. In the past day or so exploit code has been submitted to virustotal.com and scumware.org.


Users and administrators should take immediate action to mitigate the risk posed by CVE-2013-3893.  Considering the timing, I personally expect to see an out of band patch from Microsoft before October's patch Tuesday, but that is just speculation.  Exploitation in the wild still seems limited to IE 8 and 9, and the exploit which is circulating seems to also rely on MS Office to be present (not clear why, as yet).  However, all versions of IE are affected by this issue, which means that this vulnerability has likely been present since IE 6 was released in 2001.  The fact that it is getting attention now is either due to a noticeable volume or impact of active exploitation in the wild. It may have just been discovered last week, or it may have been in the private toolkit of the world's best malware writers for more than a decade. 


This is about to become as severe as any browser issue can be.  There were reports of regionally restricted public exploitation of the issue, but now that the exploit code is in the wild it's only a matter of time before it appears in commercial malware packs and broader exploitation. The vulnerability allows the attacker to gain the privileges of the user. All too often on Windows that means Administrator level privileges, but I would speculate that the exploit looking for MS Office could mean that it is being used with another privilege elevation vulnerability in Office. The mantra "I only visit safe sites" is a false promise of protection, as it's far too easy to misdirect, redirect, or otherwise cause a user to interact with a site that they are not expecting to.  Legitimate sites may also be compromised to host malware serving this exploit.


The simplest way to avoid this risk is to use a browser other than Internet Explorer.  Users who must use Internet Explorer should install all available Internet Explorer patches, and only use the latest versions available.  Neither of those things will directly help with this specific issue, but are good practices and pre-requisites for the following actions to be at all effective. 


To mitigate the risk of exploitation from this issue, install EMET 4.0, configure it to force ASLR, and enable a number of heap spraying and ROP protections.  Additionally, there is a "fixit" available from Microsoft which will attempt to modify the system to prevent exploitation.  Fixits are not full-fledged patches which have gone through Microsoft's generally rigorous quality assurance, so there is a risk that it’s not a complete solution or that it could cause compatibility issues with other products (details on both can be found here.) Personally I would do both: install and configure EMET, and apply the fixit.