Threat Research

MS10-002: Get it while it's hot!

By Derek Manky | January 21, 2010

The much anticipated out-of-band release was rolled out today by Microsoft in the form of MS10-002. Included is CVE-2010-0249 (see our advisory here), addressed by Microsoft through a security advisory (979352) late last week. We released the signature "MS.IE.Event.Invalid.Pointer.Memory.Corruption" to address this particular issue. The Microsoft advisory was, of course, the subject of many headlines through an Internet Explorer zero-day exploit with reports of targeted attacks -- probably the most since Conficker made waves in 2009. Activity on the issue first exploited by Conficker (MS08-067) still remains our #1 detected threat for malicious traffic, as can be observed in our December 2009 Threat Landscape Report (MS.DCERPC.NETAPI32.Buffer.Overflow).

It should be reminded that Microsoft provided MS08-067 as an out of band patch in October 2008, shortly after in the wild activity was spotted. It quickly grew into a vast threat (2009). Thus, my advice: MS10-002 - Get it while it's hot! In other words, a patch is available and should be used so that we do not repeat lessons from the past. MS08-067 was exploited in the masses by a worm - so far all reported instances of exploits on CVE-2010-0249 have been targeted attacks (which can wreak more havoc in smaller numbers). The cat is certainly out of the bag as exploit code is publicly available, including Metasploit.

Patches are one way to help mitigate previously zero-day attacks such as this most recent one, however much more can be done: especially when they are in zero-day stage, meaning a patch is not available. Our team makes an effort to discover such zero-day threats before they become an issue, and report it to the vendor so that they may fix it -- hopefully before any cyber criminal exploits it. A list of these may be found on our Upcoming Advisories Page. As you can see, it is a growing list. One such incident we reported to Microsoft in 2009 was FG-VD-09-022 - a similar issue in Internet Explorer. We developed protection through our IPS solution on September 3, 2009 -- well in advance of this fix -- while we worked with Microsoft to address the issue. This issue was also fixed in today's Microsoft OOB release (MS10-002), identified by CVE-2010-0247: our advisory is here. Thankfully, no attackers have leveraged this yet - but it is one example of how a proactive approach can help stop targeted zero-day attacks, and another reason to patch now. Malware payloads, malicious websites, social networks (see my post on targeted attacks through socnets here), instant messaging, email are all vectors in which these attacks can be launched. Therefor, it is a better mitigation strategy to adapt to a flexible, managed layered security solution that has proactive elements - while properly practicing patch management. Thanks to Haifei Li from Fortinet's FortiGuard Labs for discovering CVE-2010-0247. We have released additional signatures for other issues fixed by Microsoft today, and we are continuing to monitor these threats, as well as others that we receive / discover.

Join the Discussion