Advisories

A critical vulnerability has been identified in the Microsoft Internet Explorer. The vulnerability, if successfully exploited will cause the application to crash and could potentially allow an attacker to take control of the affected system. [1]

This issue is caused by a use-after-free error within the "mshtml.dll" that associated to execCommand function call, which could allow remote attackers to execute arbitrary code via a specially crafted web page. [2]

Essentially, an attacker can trick users into clicking on a URL that will direct the users to a specially crafted web page containing the exploit.

MyCERT is aware that a '0-day' exploit is available on the internet at the time of the publication of this advisory. [1]

2.0 Impact

An attacker who successfully exploits this vulnerability will be able to execute codes remotely and gain the same privilege as the user. Unsuccessful attacks may cause denial-of-service (DoS) outcomes. This vulnerability could be exploited to install malware on the user's computer.

3.0 Affected Products

The detail list of the vulnerable products and versions are as below:

• Microsoft Internet Explorer 7
• Microsoft Internet Explorer 8
• Microsoft Internet Explorer 9

4.0 Recommendations

As of the writing of this advisory, Microsoft has not released any security patches for this vulnerability. However, users can use the following steps as a temporary workaround if they need to use Microsoft Internet Explorer:

4.1 Windows users are advised to add the EMET support for Internet Explorer (iexplorer.exe). Step by step on how to add the EMET support for specific application can be found in our Protecting Your Windows Computer with Enhanced Mitigation Experience Toolkit (EMET) tutorial at the following URL:

https://www.mycert.org.my/portal/articles-content?menu=b9f3fdda-c343-4cb4-99a7-a7506cfb13ba&id=ee1c8114-fa55-41c4-9008-6857c28dd46f

Configure your EMET to protect either

• C:\program files\Internet Explorer\iexplore.exe
• C:\Program Files (x86)\Internet Explorer\iexplore.exe

4.2 Disable Active Script support in the browser. Active Script can be disabled by referring to the following steps:

On the Tools menu, click Internet Options:

Click the Security tab, choose Internet zone and click on Custom Level:



Disable the Active Scripting and click OK:

4.3 Another option for the recommendation in 4.3 is to configure the Enhanced Security Configuration for Internet Explorer and set the Internet Security Zone to "High"



4.4 Do not browse to untrusted websites or click on untrusted links especially URLs enclosed in e-mails from an unknown sender.

4.5 Browse the Internet through access of a lower privilege user to minimize the impact of the malicious file.

4.6 Consider using alternative web browsers to browse the Internet. Please make sure you use the latest version and stay up-to-date as well.

MyCERT would like to advise the users of Microsoft product to be vigilant of the latest security announcements by Microsoft and ensure that they automatically update the operating systems. The article on how to enable the auto update feature in Microsoft is available at the following URL:

https://www.mycert.org.my/portal/articles-content?menu=b9f3fdda-c343-4cb4-99a7-a7506cfb13ba&id=62275f48-f209-4440-af1a-c5425c875fa4

Users may also consider using a vulnerability management tool such as Secunia to ensure that all applications are updated:

http://secunia.com/vulnerability_scanning/personal/

MyCERT generally advise users of this product to keep themselves updated with the latest security announcements by the vendor. In case the public receives any suspicious URL, and requires our further analysis, please reach us through the following channels:

E-mail : [email protected] or [email protected]
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT <EMAIL> <COMPLAINT> to 15888
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: https://www.mycert.org.my

5.0 References

i. http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/
ii. http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day/
iii. http://labs.alienvault.com/labs/index.php/2012/new-internet-explorer-zero-day-being-exploited-in-the-wild/

The MyCERT Quarterly Summary Report provides an overview of activities carried out by the Malaysian Computer Emergency Response Team (hereinafter referred to as MyCERT), a department within CyberSecurity Malaysia. These activities are related to computer security incidents and trends based on security incidents handled by MyCERT. The summary highlights statistics of incidents according to categories handled by MyCERT in Q1 2012, security advisories and other activities carried out by MyCERT personnel. The statistics provided in this report reflect only the total number of incidents handled by MyCERT and not elements such as monetary value or repercussions of the incidents. Computer security incidents handled by MyCERT are those that occur or originate within the Malaysian constituency. MyCERT works closely with other local and global entities to resolve computer security incidents.

Incidents Trends Q1 2012

Incidents were reported to MyCERT by various parties within the constituency as well as from foreign, which include home users, private sectors, government sectors, security teams from abroad, foreign CERTs, Special Interest Groups including MyCERT’s proactive monitoring on several cyber incidents.

From January to March 2012, MyCERT, via its Cyber999 service, handled a total of 3143 incidents representing 4.40 percent decrease compared to Q4 2011. In Q1 2012, incidents such as Denial of Service, Fraud, Vulnerabilities Report and Malicious Code had increased while other incidents had decreased.

Figure 1 illustrates incidents received in Q1 2012 classified according to the type of incidents handled by MyCERT.




Figure 2 illustrates the incidents received in Q1 2012 classified according to the type of incidents handled by MyCERT and its comparison with the number of incidents received in the previous quarter.

Figure 3: Shows the percentage of incidents handled according to categories in Q1 2012.

In Q1 2012, a total of 1108 incidents were received on Intrusion representing 18.34 percent decreased compared to previous quarter. The Intrusion incidents reported to us are mostly web defacements or known as web vandalism followed by account compromise. Based on our findings, majority of the web defacements were due to vulnerable web applications or unpatched servers involving web servers running on IIS and Apache.

In this quarter, we received a total of 689 .MY domains defaced belonging to various sectors such as private and government hosted on local web hosting companies. MyCERT had responded to web defacement incidents by notifying respective Web Administrators to rectify the defaced websites by following our recommendations.

Figure 4 shows the breakdown of domains defaced in Q1 2012.




Account compromise incidents still prevails in this quarter as was in previous quarter with the number increased to 68 incidents compared to 57 incidents in Q4 2011. Account compromise incidents has become a trend nowadays in which unscrupulous individuals are taking advantage of various techniques to compromise legitimate accounts. The increase in Internet bankings and usage of social networking sites combined with lack of security awareness had contributed to the increase in account compromise incidents. The account compromise incident reported to us involved mostly free based email accounts and social networking accounts. Account compromise incidents could be prevented if users practice good password management such as using strong passwords and safeguard their passwords.

Users may refer to the below URL on good password management practise:

• http://www.auscert.org.au/render.html?it=2260
• http://www.us-cert.gov/cas/tips/ST04-002.html







 
•  
•  
•  
•  
• Incidents involving fraud had increased to about 29.31 percent in this quarter compared to previous quarter. Fraud incident continue to be a trend in this quarter and is one of the most frequently reported incidents to Cyber999. In fact Fraud has become a global trend involving phishing, Nigerian scams, lottery scams, illegal investment and job scam as it gives huge money to the perpetrators.
  
  A total of 1153 incidents were received in this quarter, from organizations and home users. Phishing incidents involving foreign and local brands still prevail in this quarter along with other types of frauds. Incidents on job scams had also increased targeting other industries such as hospitals and Specialist Centres.
  
  We continue to receive incidents on cyber harassment in this quarter however the number had dropped to about 23.80% with a total of 80 incidents. Harassment reports generally involved cyberstalking, cyberbullying, threatening done via emails and social networking sites. A new trend we observed in this quarter is luring victims into posing nude in front of video cam while chatting with perpetrators via skype or MSN Messenger. The captured nude pictures of victims by perpetrator will be used to threaten the victim to pay some amount of money otherwise the pictures will be exposed on social networking sites. We advise users to be very precautious with whom they communicate or chat on the net especially with unkown people and be ethical on the net.
  
  In Q1 2012, MyCERT had handled 189 incidents on malicious codes, which represents 33.09 percent increase compared to previous quarter. Some of the malicious code incidents we handled are active botnet controller, hosting of malware or malware configuration files on compromised machines and malware infections to computers.

  
  Advisories and Alerts

  In Q1 2012, MyCERT had issued a total of 10 advisories and alerts for its constituency which involved popular end user applications such as Adobe PDF Reader and Multiple Microsoft Vulnerabilities. Attacker often compromise end users computers by exploiting vulnerabilities in the users’ application. Generally, the attacker tricks the user in opening a specially crafted file (i.e. a PDF document) or web page.

  Readers can visit the following URL on advisories and alerts released by MyCERT

  • https://www.mycert.org.my/portal/advisories?id=431fab9c-d24c-4a27-ba93-e92edafdefa5&year=2011&ctype=&keyword=

  
  Other Activities

  In Q1 2012, MyCERT staff had been invited to conduct a training at the HP Security Workshop at San Francisco, US on Reversing Android in 19 March 2012. MyCERT staff had given a talk at UITM, Shah Alam on Malicious PDF Threat in 31st March 2012.

  Conclusion

  In conclusion, the number of computer security incidents reported to us in this quarter had decreased slightly compared to the previous quarter. However, some categories of incidents reported to us continue to increase. The slight decrease could be a positive indication that more Internet users are aware of current threats and are taking proper measures against them. No severe incidents were reported to us in this quarter and we did not observe any crisis or outbreak in our constituencies. Nevertheless, users and organisations must be constantly vigilant of the latest computer security threats and are advised to always take measures to protect their systems and networks from these threats.

  Internet user and organizations may contact MyCERT for assistance at the below contact:
  
  Malaysia Computer Emergency Response Team (MyCERT)
  E-mail: [email protected]
  Cyber999 Hotline: 1 300 88 2999
  Phone: (603) 8992 6969
  Fax: (603) 8945 3442
  Phone: 019-266 5850
  SMS: Type CYBER999 report to 15888
  https://www.mycert.org.my/
  
  
  Please refer to MyCERT's website for latest updates of this Quarterly Summary.

The MyCERT Quarterly Summary Report provides an overview of activities carried out by the Malaysian Computer Emergency Response Team (hereinafter referred to as MyCERT), a department within CyberSecurity Malaysia. These activities are related to computer security incidents and trends based on security incidents handled by MyCERT. The summary highlights statistics of incidents according to categories handled by MyCERT in Q2 2012, security advisories and other activities carried out by MyCERT personnel. The statistics provided in this report reflect only the total number of incidents handled by MyCERT and not elements such as monetary value or repercussions of the incidents. Computer security incidents handled by MyCERT are those that occur or originate within the Malaysian constituency. MyCERT works closely with other local and global entities to resolve computer security incidents.

Incidents Trends Q2 2012

Incidents were reported to MyCERT by various parties within the constituency as well as from foreign, which include home users, private sectors, government sectors, security teams from abroad, foreign CERTs, Special Interest Groups including MyCERT’s proactive monitoring on several cyber incidents.

From April to June 2012, MyCERT, via its Cyber999 service, handled a total of 2441 incidents representing 22.33 percent decrease compared to Q1 2012. In Q2 2012, incidents such as Cyber Harrasment, Denial of Service and Vulnerabilities Report had increased while other incidents had decreased tremendously.

Figure 1 illustrates incidents received in Q2 2012 classified according to the type of incidents handled by MyCERT.




Figure 2 illustrates the incidents received in Q2 2012 classified according to the type of incidents handled by MyCERT and its comparison with the number of incidents received in the previous quarter.