Microsoft Windows IE Vulnerability (CVE-2013-2551) attacks spotted in the wild (January 23, 2014)


Dell Sonicwall Threats Research team has found Internet Explorer vulnerability (CVE-2013-2551) still being exploited in the wild.
This use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code
via a crafted web site that triggers access to a deleted object.

This vulnerability has already been patched.

Following is an in-depth analysis of the attack.

Below is the crash code:

Due to this vulnerability attacker is able to control data in memory. In this case its from address 0x0c0c0c0c

The crash point:

Malicious javascript used to create a ROP Chain as follows:

We can see how the ROP Chain translates into memory

The stack trace:

We can see how the memory 0x0c0c0c0c is being written into.

Dell SonicWALL protects against this threat with the following signatures:

  • IPS: 9897 Windows IE VML shape object Memory Corruption 1 (MS13-037)
  • IPS: 9915 Windows IE VML shape object Memory Corruption 2 (MS13-037)
  • Security News
    The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.