TMCnet Feature Free eNews Subscription
October 02, 2013

If You Release It, They Will Attack: New Internet Explorer Exploit Release Causes Concern

By Steve Anderson, Contributing TMCnet Writer

Sometimes, one of the surest ways to prompt an attack is to leave a weakness unaddressed and sitting out in the open. That seems to be what's going on with the public release of a new exploit for the Metasploit penetration tool, an open-source mechanism that was originally designed as a computer security tool, but like many tools, has had parts of it misused for more malicious purposes.



The vulnerability in question was announced by Microsoft (News - Alert) back on September 17, and goes by the name “CVE-2013-3893.” Microsoft, at last report, became aware of the flaw when it was being used in specifically targeted attacks, and in response, released a temporary tool designed to address the flaw in the short term via a download. However, no permanent patch to address CVE-2013-3893 as yet exists, as seen by its lack on Windows Update.

The vulnerability in question allows for all versions of Internet Explorer to be attacked, and can be used to force the user's system to execute random code when a visitor arrives at a particular website. Attacks are, at last report, still going on throughout large parts of Japan and Taiwan alike—going as far back as potentially July—an exploit around this vulnerability had already been adopted by two separate groups and used as a weapon against multiple websites. But now, with the development of a CVE-2013-3893 exploit for Metasploit, concerns are growing. Metasploit is meant for security professionals, but various criminal groups and individuals have also been known to borrow exploits created for Metasploit, and use said exploits in attacks against other systems.

AlienVault (News - Alert) research team manager Jaime Blasco underscored the issue by suggesting that the exploit will likely wind up in several exploit kit systems, and that Metasploit's inclusion of the exploit in question would likely trigger “an increase of widespread exploitation.” The “exploit kits” in question are tool collections that can be used by cybercriminals for various operations, many of which are often larger in scale than the kinds of attacks seen so far.

Indeed, even Metasploit engineering manager Tod Beardsley suggested in a recent e-mail that the fuss about Metasploit may be for naught as the exploit in question may well already be part of standard exploit kit systems, as it was actually obtained from existing attacks, which means Metasploit may not be telling anyone anything that's not already known. Some evidence from the developer behind the exploit, Wei Chen, suggests that parts of the code involved date back to at least 2012. But then, there may not be much cause for alarm anyway, as the “Fix It” used is seemingly effective, leading Beardsley to hope an actual patch will be “straightforward.”

The eternal back-and-forth of patch and exploit has been part of computing for a large part of the history of computers. Starting with viruses and giving way to ever more complex sources, all that can really be done on a personal level is to keep up as best as possible with anti-viral systems and hope for the best. With due care, many of these problems never really become problems at all, though as we've seen here, not even the utmost diligence at the user level can prevent every issue. Those who make computer security systems, including patches, must also remain diligent to help protect the users of same.




Edited by Blaise McNamee
» More TMCnet Feature Articles
Get stories like this delivered straight to your inbox. [Free eNews Subscription]
SHARE THIS ARTICLE

LATEST TMCNET ARTICLES

» More TMCnet Feature Articles