Sophos Cloud Optix
Readers will have likely read the vulnerability assessment (updated earlier this morning) and the previous blog entry we have posted. Obviously when issues like this arise, and gather some attention in the press, customers get concerned (understandably). Even if a patch were available, for some there will be a delay in being able to roll it out to critical systems. In this case, the patch was not included in this week’s Microsoft patches, adding to the concerns somewhat. Add to this the fact that Microsoft have extended their advisory to also include IE 6 and 8 now, and we have plenty of room for concern. In this post I will summarise some of the activities we are seeing thus far around this vulnerability.
First up, this vulnerability is being actively exploited. We have started to see SQL defacement attacks being used to compromise sites and direct victims to attacks where they are hit with a bundle of exploits, including this latest IE one. The diagram below (click to see larger copy of the image, with detection names etc) illustrates one such attack:
What does this show us?
- Defaced sites are having script tags injected into them to load a malicious script from a rogue domain. Defaced pages are being detected as Mal/Badsrc-C.
- Subsequent redirection steps (blocked as Mal/Iframe-I and Mal/Iframe-G) then load a variety of malicious pages, which attempt to exploit various vulnerabilities.
- The payload (in this example attack) is common to all of these exploit scripts – attempting to infect the victim with a rootkit we proactively detected as Mal/RKFarfli-B.
You can see that the new IE exploit is being detected as Troj/JSShell-E. In addition to this detection, we have also published Exp/Datbi-A and updated Mal/JSShell-B to provide additional protection against malicious content looking to target the vulnerability. In addition to the detection of the specific components targeting this vulnerability, you can see there are a plethora of other steps and components involved to protect against the whole attack.
Will we continue to see more attacks targeting this vulnerability? Of course. Numbers will likely grow during today and over the weekend. Users should ensure they keep their security products up to date, and deploy effective URL filtering on their web gateway.