The Microsoft Malware Protection Center has been tracking a recent 0-day vulnerability for Microsoft Internet Explorer very closely after it was found in the wild in early November, apparently being used in targeted attack attempts.  As public exploit code became available and attackers began integrating the code into their toolkits, we continued to closely monitor the attack attempt patterns through the coverage (Exploit:Win32/CVE-2010-3962) provided to customers.

The attack patterns for this vulnerability have been somewhat unusual.  The Friday after we began our tracking effort, we saw our first spike in activity, predominantly targeting users in Korea, and secondarily attempting to exploit users in China.  Although attacks in China trended down over subsequent weeks, we continued to see weekend-related spikes in Korea.  However, after the second weekend spike, even these attack attempts continued to trend down, revealing a smaller number of attack attempts each coming weekend.  The following chart shows the geo-location of computers reporting the attack attempt along with the “trending down” effect we’ve seen.

CVE-2010-3962 attack attempts

Image 1 - CVE-2010-3962 attack attempts by geo-location

Over the past few days, attack attempts in China have been on the rise, again, the downward trend that occurred during the first month is unusual for an 0-day vulnerability such as this one. One explanation might be that the attackers did not achieve the success rate that they had hoped.  Although the Microsoft Security Advisory (2458511) lists Windows 7, Windows Vista and Windows Server 20008 as affected operating systems, these platforms include DEP/ASLR mitigations (described in depth by TwC Security Science’s Matt Miller in a recent blog post).

When you pair those platforms with Internet Explorer 8 and above, DEP/ASLR technologies are enabled by default to protect IE.  So, perhaps the attackers have not been reaching the attack surface they had originally hoped and are starting to move on.  The following charts shows the number of Windows XP and Windows 2003 systems reporting attack attempts versus Windows Vista and Windows 7:

CVE-2010-3962 attack attempts by target OS

Image 2 - CVE-2010-3962 attack attempts by target OS

In any case, we’re happy to say that the bulletin addressing this issue is planned to be released on Tuesday, Dec.  14 as part of our usual monthly update cycle. As always, we urge all Microsoft customers to apply this update along with the protection technologies you may have had in place already.

- Holly Stewart, MMPC