NEWS FROM THE LAB - Tuesday, October 8, 2013

DeepGuard 5 vs. IE Zero-Day Exploit CVE-2013-3893 Posted by SecResponse @ 12:19 GMT

SPOILER ALERT: DeepGuard wins.

It's Patch Tuesday, and Microsoft will be releasing its monthly security updates later today.

Installing the updates as soon as possible is highly recommended because one of the patched vulnerabilities in Internet Explorer, CVE-2013-3893, is already being exploited in the wild. A Metasploit module for exploiting CVE-2013-3893 has also been released. But today is key, as the bad guys will almost certainly now reverse engineer the patches in order to develop exploits for the other vulnerabilities as well.

Building protection against exploits by creating vulnerability-specific defenses one at a time is not really sustainable. More proactive protection can be achieved by putting focus on the exploitation techniques. With this in mind, the key feature we introduced in version 5 of our behavioral technology — DeepGuard — is behavior-based exploit interception. By monitoring the behavior of commonly exploited software, e.g., web browsers, we can protect users against threats we have not yet seen — including zero-day exploits.

Here's a brief video of DeepGuard protecting the system from compromise via an exploit based on the CVE-2013-3893 vulnerability. The IE version in the video is vulnerable, i.e., the system does not have today's updates installed. The exploit in the video has been used in real attacks and is very similar to ones mentioned by FireEye and Dell, right down to the runrun.exe payload encrypted with 0x95 XOR key. The attack is replayed from a webserver on an isolated test network.

The exploit sets and checks a cookie to avoid exploiting the same system twice. Once DeepGuard has blocked the exploit and forced the tab to close, IE will try to reopen the tab. Because the cookie was set, the JavaScript code skips the exploit and simply redirects the user to naver.com.

YouTube: DeepGuard 5 vs. IE Zero-Day Exploit CVE-2013-3893

In other words… our technology offers superior protection to customers — on day zero.

You can read more about our DeepGuard technology in this white paper. Read and enjoy while installing today's updates.

Post by — Timo