In this month’s Patch Tuesday, Microsoft covered another Internet Explorer zero-day vulnerability, which is being exploited in the wild. This flaw is known as the
Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0324). According to our investigation, the exploit for CVE-2014-0324 takes advantage of Internet Explorer 8. Symantec confirmed the exploit in the middle of February, which we believe was used in a watering hole campaign in order to carry out limited targeted attacks.
The exploit code was implemented in a specially crafted Web page that takes advantage of the vulnerability. If the vulnerability is exploited, a payload is then downloaded from a specific URL on a compromised website. We were, however, unable to acquire the downloaded file at the time of analysis, so we cannot elaborate on the details of the payload. In our testing environment, the exploit triggers Data Execution Prevention (DEP), which is a security feature that attempts to prevent the execution of code from Web pages of memory that are not allowed to run. This means that if DEP is enabled, it will stop the exploit from taking advantage of the flaw.
Symantec customers are protected against attacks exploiting this vulnerability. Our products block the exploit with the following signatures.
AV
IPS
Symantec has continued to monitor the threat landscape for further exploits of CVE-2014-0324, but we have only spotted one other possible attack in the same month. We believe that the exploit is only being used to target specific organizations or individuals. For those who may be affected by the exploit, we urge you to apply the patch immediately. We also encourage everyone to always keep their security products up to date.