Attacks/Breaches

8/19/2015
11:30 AM
Sara Peters
Sara Peters
Quick Hits
Connect Directly
Twitter
RSS
E-Mail
50%
50%

IE Bug Exploited In Wild After Microsoft Releases Out-Of-Band Patch

Remote code execution vulnerability in Internet Explorer versions 7 through 11 being used to drop PlugX RAT.

A critical memory corruption vulnerability in Internet Explorer versions 7 through 11 that Microsoft released an emergency patch for yesterday is being used in watering hole and spearphishing attacks. Successful exploitation enables remote code execution and grants the attacker the same privileges as the current user.

The vulnerability, CVE-2015-2502, is a memory corruption bug, exploited by a hacker either hosting a malicious website or running malicious content on a legitimate site.

The attack seen in the wild has been using a malicious IFrame and drops a variant of the PlugX remote access Trojan, which calls a command-and-control server based in Korea, according to Heimdal Security.

“The recently exposed flaw does allow remote code execution so it is in a class that is pretty serious," says Cris Thomas, strategist at Tenable Network Security. "The key here though, and the reason why Microsoft issued an out-of-band patch, isn't because this bug is super bad, but because bad guys are using this bug right now to break into people’s systems. However, Microsoft hasn't released any information with regards to how extensive that usage is. It is possible that this issue is only being used in selective, highly targeted attacks or it could be in widespread use on a botnet or third party web advertising network.

"Unfortunately, there are no work-arounds for this bug. Ensuring that you have Microsoft's Enhanced Mitigation Experience Toolkit configured will make exploiting this bug more difficult, but not impossible."  

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.