Installing the updates as
soon as possible is highly recommended because one
of the patched vulnerabilities in Internet
Explorer, CVE-2013-3893,
is already being exploited in the wild. A Metasploit module for exploiting
CVE-2013-3893 has also been released. But today is
key, as the bad guys will almost certainly now
reverse engineer the patches in order to develop
exploits for the other vulnerabilities as well.
Building protection against exploits
by creating vulnerability-specific defenses one at
a time is not really sustainable. More proactive
protection can be achieved by putting focus on the
exploitation techniques. With this in mind, the
key feature we introduced in version 5 of our
behavioral technology — DeepGuard — is
behavior-based exploit interception. By monitoring
the behavior of commonly exploited software, e.g.,
web browsers, we can protect users against threats
we have not yet seen — including zero-day
exploits.
Here's a brief video of
DeepGuard protecting the system from compromise
via an exploit based on the CVE-2013-3893
vulnerability. The IE version in the video is
vulnerable, i.e., the system does not have today's
updates installed. The exploit in the video has
been used in real attacks and is very similar to
ones mentioned by
FireEye
and
Dell, right down to the runrun.exe payload encrypted
with 0x95 XOR key. The attack is replayed from a
webserver on an isolated test network.
The
exploit sets and checks a cookie to avoid
exploiting the same system twice. Once DeepGuard
has blocked the exploit and forced the tab to
close, IE will try to reopen the tab. Because the
cookie was set, the JavaScript code skips the
exploit and simply redirects the user to
naver.com.