Thanks to Parveen Vashishtha for his assistance with this research.
The Microsoft patch Tuesday has been very interesting this month. Symantec has observed the exploitation of a couple of client-side vulnerabilities in the wild. This blog will concentrate on one of them, the Microsoft Internet Explorer CVE-2012-1875 Same ID Property Remote Code Execution Vulnerability (CVE-2012-1875), which was actively exploited, even before MS Tuesday.
We have observed this vulnerability being served through various sites using multiple injected iframes. These iframes are responsible for seamlessly delivering the exploit to the unsuspecting users. Figure 1 depicts some of the iframes that have been injected into legitimate websites.
Figure 1. Injected iframes
The intention behind injecting multiple iframes may be to provide a failover mechanism. This will ensure that the exploit gets served even if one of the domains is taken down or cleaned.
The SWF file is also responsible for heap-spraying the memory and setting up the shell-code. Heap-spraying is done based on operating system versions - in this case, Windows 7 and Windows XP and will only happen if the request comes from Internet Explorer 8. Part of the code inside the SWF file is seen in Figure 4.
Figure 4. SWF code extract
Once the vulnerability is exploited and the shellcode is executed, a request is sent to download additional malware which is then executed later.
The good news is that Symantec customers are protected from this attack. Symantec antivirus detects the dropped malware as Trojan.Naid and IPS blocks this attack with the signature Web Attack: MSIE Same ID Property CVE-2012-1875. We urge our readers to update their software patches and keep their security software definitions up-to-date.