[funsec] MSIE 6/7/8 unpatched vulnerability confirmed

[Paul Ferguson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Jan 15, 2010 at 12:51 AM, Juha-Matti Laurio
<juha-matti.laurio at netti.fi> wrote:

> http://www.microsoft.com/technet/security/advisory/979352.mspx
>
> This is the 0-day vulnerability used in Google China attack.
>

Minor Correction: This is the 0-Day used in *some* of the Chinese targeted
attacks.

This appears to be a multi-pronged attack -- other organizations in the
past week or so have also been targeted via e-mail with malicious
attachments.

I would be hard-pressed to say that *all* of the targeted attacks *only*
employed the IE heap-spray 0-Day vulnerability/exploit, since it appears
that some of the other targeted organizations were targeted with e-mail
containing malicious attachments, e.g. the law firm (Gipson Hoffman &
Pancione) that is suing China over the CyberSitter code theft being used in
Green Dam:

http://blogs.zdnet.com/BTL/?p=29533
http://www.theregister.co.uk/2010/01/15/cybersitter_law_firm_attack/

Also, we have seen these same tactics used (malicious attachments in e-mail
disguised as legitimate communiqués) before when targeting Tibetan support
groups. It is quite possible (although not all the details are yet known)
that this was also recently used against a local (to me) Stanford student
is a regional coordinator of “Students for a Free Tibet”:

http://www.mercurynews.com/ci_14195105

So, it is *quite possible* that this was a series of attacks, where the IE
0-Day discovered by McAfee was used on *some* of the targeted victims and
others were compromised by malicious e-mail attachments – we have seen
several undetected, booby-trapped .PDF exploits in the past week, including
this one described this morning over at the SANS Internet Storm Center:

http://isc.sans.org/diary.html?storyid=7984

And also Julia @ FireEye has this excellent post up tonight:

http://blog.fireeye.com/research/2010/01/pdf-obfuscation.html

I think it is dangerous, from a defense perspective, to say "This is
responsible for that" when there are clearly several different things
happening here -- instead of looking for quick explanation, everyone should
step back and observe that there are several critical paths to compromise
at work here.

$.02,

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFLUDgDq1pz9mNUZTMRAq6UAJ9LTD94zBMBm/1XpiH89PnO/Ok45gCdEhWq
nDMfkF9noJ91vueOk8Bj6kI=
=rfh4
-----END PGP SIGNATURE-----


-- 
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/