Full Report
Microsoft released a patch last week for a critical vulnerability allowing remote code execution in Internet Explorer. This vulnerability is significant because it exploits an old bug present in Internet Explorer versions 3 through 11.
Analysis Summary
# Vulnerability: Remote Code Execution in Internet Explorer (Unicorn Bug)
## CVE Details
- CVE ID: CVE-2014-6332
- CVSS Score: Critical (Score not explicitly provided, but context marks it as "critical")
- CWE: Likely related to Memory Corruption/Improper Input Validation (Specific CWE not provided)
## Affected Systems
- Products: Microsoft Internet Explorer
- Versions: Versions 3 through 11 (All supported versions prior to patch)
- Configurations: Any system running an unpatched version of Internet Explorer, attempts to bypass Enhanced Protected Mode (EPM) in IE11 were noted.
## Vulnerability Description
This critical remote code execution (RCE) vulnerability existed in older bugs within Internet Explorer versions 3 through 11. Successful exploitation allows an attacker to run arbitrary code on a remote machine merely by having the victim visit a specially crafted website. The vulnerability was noted to be capable of bypassing security features like IE11's Enhanced Protected Mode (EPM) sandbox and Microsoft’s EMET toolkit.
## Exploitation
- Status: Exploited in the wild (Observed active exploitation attempts targeting users browsing a major Bulgarian website).
- Complexity: Low (A publicly available Proof-of-Concept (PoC) allowed for arbitrary code execution just by visiting a malicious page).
- Attack Vector: Network (Triggered via web browsing).
## Impact
- Confidentiality: High (Allows for arbitrary code execution, leading to potential data theft)
- Integrity: High (Allows for arbitrary code execution, leading to system modification)
- Availability: High (Allows for malware installation, potentially leading to DoS or system compromise)
## Remediation
### Patches
- Microsoft released a patch for this vulnerability. The specific KB article mentioned is **KB3011443**. Users must apply this patch via Windows Update.
### Workarounds
- No specific configuration workarounds were detailed besides applying the immediate patch. The primary directive was to update IE immediately.
## Detection
- Indicators of Compromise (IOCs):
- Connection attempts to external domains mentioned in the exploit payloads (e.g., `natmasla[.]ru`).
- Files dropped in the `%TEMP%` directory (`KdFKkDls.txt`, `natmasla.exe`).
- Execution of commands via `cmd.exe` (scripting file creation) or `powershell.exe` (downloading payloads).
- Detection of the dropped malware: **Win32/IRCBot.NHR**.
- Detection Methods and Tools:
- ESET detected the exploit attempt as **Win32/Exploit.CVE-2014-6332.A**.
- Security solutions should be updated to recognize the associated malware hash (SHA1: `825C4F203659AF27356CBEC8E1DA46C259DD962C`).
## References
- Vendor Advisory: `support.microsoft.com/kb/3011443/en-us` (Defanged)
- Research: `securityintelligence.com/ibm-x-force-researcher-finds-significant-vulnerability-in-microsoft-windows/` (Defanged)