Product Coverage and Mitigation for CVE-2013-3893

Microsoft Security Advisory (2887505)

On September 17th, 2013, Microsoft published Security Advisory 2887505, which coverers a remote code execution vulnerability in all supported versions of Microsoft Internet Explorer.   The flaw resides in the handling of objects in memory which have been deleted or improperly allocated.  Specifically, a use-after-free flaw in the HTML rendering engine (aka mshtml.dll) can be used to invoke the vulnerable state.

This flaw is currently being exploited in limited and targeted attacks.  Functional exploitation and malware artifacts have been identified in the wild.



Remediation / Mitigation


McAfee Labs

The following McAfee products / content provide coverage

  • McAfee Vulnerability Manager
    • McAfee MVM / FSL Content Release of 9/18/2013
  • McAfee Antivirus
    • Coverage is provided in the 7204 DATs, released on 9/20/2013
    • Name – Exploit-IE!heur
  • McAfee Network Intrusion Prevention Systems (NIPS)
    • UDS Emergency Release of 9/17/2013
    • UDS signature attack ID 0x4510ef00
    • Name=”UDS-HTTP: Microsoft Internet Explorer onlosecapture Use After Free Vulnerability

As new details emerge, or product coverage is updated, McAfee Labs will keep you posted.






Breaking Bad Fans Targeted in Twitter List Spam

On the heels of its most highly acclaimed episode, Breaking Bad fans tweeting about the popular AMC show may find themselves targeted by a new Twitter spam tactic.

Traditionally, spammers and scammers abused the reply functionality built into the service but over the years, spammers have searched for different ways to gain visibility amongst Twitter users. The most recent tactic being utilized is called list spam.

A Twitter list consists of a curated group of Twitter users. Users can create their own lists or subscribe to existing lists already created by others. Spammers are using this feature to get the attention of Twitter users.

Various lures have been used in Twitter list spam recently, from offering celebrity phone numbers to free gift cards, devices, and video games.

Breaking Bad 1.png

Figure 1. Twitter spam account for Breaking Bad

This weekend, the penultimate episode of Breaking Bad, “Granite State,” will air. The show has received a lot of buzz and fans, like myself, have eagerly counted the days until Sunday. Spammers are riding the coattails of the show’s popularity in an attempt to trick users into downloading a leaked copy of the next episode.

Breaking Bad 2.png

Figure 2. Twitter lists used in Breaking Bad spam

Twitter list spam starts off with being added to a list along with thousands of other users.  Usually, this type of spam requires you to visit the list creator’s page to see the spam link. In this case however, the link is presented in the list description.

Breaking Bad 3.png

Figure 3. Pastebin contains links to file hosting services

The URL leads to Pastebin, which contains links to different file hosting services for downloading the episode.

Breaking Bad 4.png

Figure 4. File hosting services hosting an episode of Breaking Bad

The file hosting services contain a 280MB file for the user to download. Additionally, users can opt to download a torrent file to use peer-to-peer downloading to obtain the episode.

Breaking Bad 5.png

Figure 5. File contained within the archive

Once downloaded, there are two files in the Zip: a text file named “How To Open – READ FIRST.txt” and a large file (nearly 300MB).

Breaking Bad 6.png

Figure 6. Readme text file contains a shortened URL

In order to open the large file, users are instructed to download the latest version of 7-Zip. The link directs users through an affiliate program, which is how scammers make money. The affiliate program directs users to an installer that comes bundled with other applications. Users can choose not to install these applications.

Breaking Bad 7.png

Figure 7. Breaking Bad season 5, episode 12

Ultimately, installation of this file is unnecessary as the video file can be opened in any media player. Unsurprisingly, the downloaded episode is from earlier this season.

Breaking Bad 8.png

Figure 8. Reporting spam account to Twitter

Twitter list spam is a new trend, one that is gaining quite a bit of traction. If you find yourself added to a Twitter list, you can remove yourself from the list by reporting the user that added you.

We don’t enable backdoors in our crypto products, RSA tells customers

RSA, the security firm that confirmed two of its products by default use a crucial cryptography component reportedly weakened by the National Security Agency, said such design choices are made independently.

"RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any backdoors in our products," the security division of EMC said in a brief statement published Friday. "Decisions about the features and functionality of RSA products are our own."

The post came a day after RSA advised customers of the BSAFE toolkit and the Data Protection Manager to stop using something called Dual_EC_DRBG, which is the default random number generator (RNG) for creating cryptographic keys for both applications. The New York Times recently reported that the technology contained backdoor weaknesses inserted by the NSA before the National Institute of Standards and Technology formally adopted it as a standard in 2006.

Read 8 remaining paragraphs | Comments


Apple Releases iOS 7

Original release date: September 20, 2013

Apple has released iOS 7 for the iPhone 4 and later, iPod touch 5th generation and later, and iPad 2 and later to address multiple vulnerabilities. These vulnerabilities could allow remote attackers to execute arbitrary code, cause a cross-site scripting attack, bypass security restrictions, or cause a denial-of-service condition.

US-CERT encourages users and administrators to review Apple Support Article HT5934 and follow best practice security policies to determine if their organization is affected and the appropriate response.

This product is provided subject to this Notification and this Privacy & Use policy.