Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.
Security Response

New Internet Explorer Zero-day Targeted in Attacks Against Korea and Japan

Created: 09 Oct 2013 14:08:36 GMT • Updated: 23 Jan 2014 18:03:51 GMT • Translations available: 日本語
Symantec Security Response's picture
+3 3 Votes
Login to vote
In Microsoft’s Patch Tuesday for October 2013, the company released MS13-080 to address two critical vulnerabilities that have been actively exploited in limited targeted attacks. The first critical vulnerability in Internet Explorer, the Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3893), was discussed in an earlier Symantec blog.
 
The second critical vulnerability for Internet Explorer is the Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3897). In a blog post from Microsoft, the company describes how this issue is a use-after-free vulnerability in CDisplayPointer triggered with the onpropertychange event handler. The blog continues, explaining how the exploit uses a JavaScript heap-spray to allocate a small ROP chain around the address 0x14141414. When found in the wild, the exploit was designed to target only Internet Explorer 8 on Windows XP for the Korean and Japanese language-based users. For Symantec customers, the following protection is already in place for this attack:  
 
Antivirus:
 
Intrusion Prevention System:
 
Symantec telemetry shows that the attack taking advantage of CVE-2013-3897 began around September 11, 2013 and that it has mainly affected South Korean users, due to how Web pages on a popular Korean blogging site were used to redirect users to the site hosting the exploit.  
 
Symantec is continuing to investigate this attack to ensure that the best possible protection is available. As always, we recommend that users keep their systems up-to-date with the latest software patches. We also advise customers to use the latest Symantec technologies and incorporate the latest Norton consumer and Symantec enterprise solutions to best protect against attacks of this kind.
 
Update  09 October, 2013:
Symantec has released an additional IPS signature to protect against CVE-2013-3897:
 
Update – 11 October, 2013:
Symantec has released an additional AV detection to protect against CVE-2013-3897: