Friday, June 17, 2011

Exploit for MS11-50 Vulnerability in the Wild

Via Symantec Über Security Response Blog -

Symantec Security Response has confirmed that the Microsoft Internet Explorer Time Element Uninitialized Memory Remote Code Execution Vulnerability (CVE-2011-1255) is being exploited in the wild. The vulnerability affects Internet Explorer versions 6, 7, and 8; however, the exploit we have acquired seems to only affect version 8. Microsoft has already released patches as part of the MS Tuesday release on June 14, so Symantec advises all users to install the patch. So far, we have only seen limited attacks taking advantage of this vulnerability and believe that the exploit is only being carried out in targeted attacks at present.

We have been able to confirm the existence of one such attack that involves a compromised website hosting content for a neighborhood restaurant. It appears that a duplicate of the top page of the website was either hacked to include a hidden iframe tag linking to an exploit page or was prepared from scratch, which, if run successfully, the included shell code downloads an encrypted malicious file from the same site. Interestingly, a link to, which is a site that offers statistical analysis, is included in the page to perhaps to provide the attackers with an idea of how the attack is progressing. The downloaded malware then contacts using the HTTP protocol and awaits further commands. provides a type of dynamic DNS service and is known to be used for various malicious purposes, so it may not be a bad idea to block access to this domain and, if needed, whitelist the subdomains that you may need access to. It's likely that the attacker sends emails to targets with a link to the website with the intent to steal confidential information, which is a common method used in targeted attacks.

To protect themselves from attack, users should apply the latest patch for this vulnerability. They should also keep all other software on their computer up to date as well, including security software. Users should also be cautious when receiving emails with attachments and links they receive from both known and unknown sources.


Threat Mitigation - Apply MS11-050
The vulnerability outlined above was patched in Microsoft's Security Bulletin MS11-050 - Cumulative Security Update for Internet Explorer (2530548)

No comments:

Post a Comment