Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.
Security Response

New Internet Explorer 8 Zero-Day Used in Watering Hole Attack

Created: 05 May 2013 02:16:30 GMT • Updated: 23 Jan 2014 18:07:40 GMT • Translations available: 日本語
Symantec Security Response's picture
+2 2 Votes
Login to vote

Microsoft has issued Security Advisory 2847140 in response to reports regarding public exploitation of a vulnerability affecting Internet Explorer 8. Other versions such as Internet Explorer 6, Internet Explorer 7, Internet Explorer 9, and Internet Explorer 10 are not affected. Initial reports indicate that a website associated with a department of the US government was compromised to host the exploit in what’s known as a watering hole attack. Upon visiting the site a vulnerable victim would have been redirected to download a back door as the payload.  Symantec products detect the exploit code on the vulnerable site as Trojan.Malscript, Bloodhound.Exploit.494, or Bloodhound.Exploit.495 and the back door as Backdoor.Darkmoon.

In the Microsoft advisory this vulnerability has been assigned CVE-2013-1347. From analysis, it appears to be nearly identical to a previously discovered vulnerability, CVE-2012-4792, which was patched by Microsoft in MS13-008 in January 2013. Further details and analysis will be provided as they become available.

Symantec customers are protected from the payload with updates from May 1, 2013.  We are also investigating the possibility of further protections for these vulnerabilities and will provide updates when available.  We advise users to apply any patches as soon as Microsoft makes them available.  Microsoft has also provided workarounds to mitigate risk associated with the vulernability.

We have carried out in-depth research into watering hole style attacks dating back to 2009. That research and analysis is contained in a paper named The Elderwood Project, which we published in September 2012.

Update – May 6, 2013

Symantec also has the following intrusion prevention system (IPS) signatures in place to block attacks that exploit this vulnerability: