CVE-2012-1875 in the Wild (Part 2) – Internet Explorer Gets Stumped

 

Thanks to Parveen Vashishtha for his assistance with this research.
 
The Microsoft patch Tuesday has been very interesting this month. Symantec has observed the exploitation of a couple of client-side vulnerabilities in the wild. This blog will concentrate on one of them, the Microsoft Internet Explorer CVE-2012-1875 Same ID Property Remote Code Execution Vulnerability (CVE-2012-1875), which was actively exploited, even before MS Tuesday. 
 
We have observed this vulnerability being served through various sites using multiple injected iframes. These iframes are responsible for seamlessly delivering the exploit to the unsuspecting users. Figure 1 depicts some of the iframes that have been injected into legitimate websites.
 
 
 
Figure 1. Injected iframes
 
 
The intention behind injecting multiple iframes may be to provide a failover mechanism. This will ensure that the exploit gets served even if one of the domains is taken down or cleaned.
 
The "Exploit.html" page contains obfuscated JavaScript that embeds an SWF file as shown in Figure 2. There are a couple of distinct function calls from the JavaScript, the sources of which are inside the SWF file. The JavaScript code coupled with the SWF file is responsible for triggering the exploit.
 
Figure 2. Obfuscated JavaScript from Exploit.html
 
 
The relation between the SWF file and the JavaScript inside “Exploit.html” can be seen in Figure 3.
 
 
Figure 3. Relationship between the SWF and JavaScript code
 
 
The SWF file is also responsible for heap-spraying the memory and setting up the shell-code. Heap-spraying is done based on operating system versions - in this case, Windows 7 and Windows XP and will only happen if the request comes from Internet Explorer 8. Part of the code inside the SWF file is seen in Figure 4.
 
 
Figure 4. SWF code extract
 
 
Once the vulnerability is exploited and the shellcode is executed, a request is sent to download additional malware which is then executed later. 
 
The good news is that Symantec customers are protected from this attack. Symantec antivirus detects the dropped malware as Trojan.Naid and IPS blocks this attack with the signature Web Attack: MSIE Same ID Property CVE-2012-1875. We urge our readers to update their software patches and keep their security software definitions up-to-date.