For HomeFor BusinessFor Partners
Business Insights
5 min read

Hypervisor Introspection Thwarts Web Memory Corruption Attack in the Wild

Michael Rosen

February 10, 2020

Hypervisor Introspection Thwarts Web Memory Corruption Attack in the Wild
  • New remote memory corruption vulnerability in Internet Explorer browsers allows for full takeover of infected systems
  • Bitdefender has confirmed exploitation in the wild of CVE-2020-0674 with analysis of 2 distinct executable payloads
  • Hypervisor Introspection delivers true zero-day protection by preventing all common memory exploit techniques

On January 17, Microsoft announced Security Advisory ADV200001, describing a zero-day remote code execution in Internet Explorer that has been actively exploited in the wild. This announcement continues the parade of devastating memory-space exploits including EternalBlue and BlueKeep.

Security Advisory ADV200001 | Microsoft Guidance on Scripting Engine Memory Corruption Vulnerability

CVE-2020-0674 is a recently discovered browser vulnerability in the Microsoft scripting engine that allows for remote code execution (RCE) on Internet Explorer browsers from malicious JavaScript (.js) files. The exploit carries Microsoft’s highest severity rating of Critical and it affects Internet Explorer versions 9, 10, and 11.

Microsoft, DHS Warn of Zero-Day Attack Targeting IE Users

Bitdefender has confirmed that this critical vulnerability is being actively exploited in the wild. Security researchers in Bitdefender Labs have obtained and analyzed multiple samples to explore its tactics, techniques, and procedures. We have independently verified that 2 distinct executable payloads are unleashed by the exploit and currently in circulation:

Below are Bitdefender’s analysis and key findings concerning the exploitation of CVE-2020-0674 in the wild. We also demonstrate the successful detection and defeat of this dangerous exploit in virtual datacenter systems protected by Bitdefender Hypervisor Introspection (HVI)—including standard desktops, servers, and VDI desktops. HVI prevents this type of exploit, closing the gap between the time exploit code is used in the wild and the time the systems are patched.

hvi-prts

Hypervisor Introspection intercepts and denies the attempt to access and overwrite protected memory areas.

Instead of scanning millions of malware samples, Bitdefender Hypervisor Introspection detects all known memory attack techniques—few in number and only visible at the hypervisor level—identifying advanced and zero-day attacks as easily as any known exploit, preventing the malicious behavior from executing. HVI requires no signature updates, since the common attack techniques remain relatively constant, even as the tools and procedures change with each specific attack. Bitdefender Labs maintains constant vigilance, keeping pace with new techniques and adding them to HVI’s detection stack.

Bitdefender Hypervisor Introspection | Stop Advanced Targeted Attacks and Prevent Breaches

 Key Findings

  1. Malicious URLs from phishing links contain multiple JavaScripts, each operating on a different version of Windows to exploit CVE-2020-0674
  1. When the RCE memory-space exploit is successful, the scripts download and run two distinct executable files in memory with the privileges of the logged-in user 
  1. The attack attempts to access a protected memory area, to write data to read-only memory, and to execute arbitrary code from a non-executable area such the heap stack or process stack

Impact of Virtualization Security on Your VDI Environment White Paper

Conclusions

Hypervisor Introspection is essential in the virtual datacenter, where built-in protection against new memory exploits and other advanced attacks using well-known exploit techniques cannot come at the expense of VM efficiency, density, or performance. Don’t rely on vendor software patches to keep you safe, as the attackers will always be one step ahead. Instead, proactively take away their operating space with HVI and set your defenses on the high ground of memory space. Bitdefender has demonstrated proactive prevention of memory vulnerabilities and exploits time and again—from EternalBlue to BlueKeep and more—proving that proactive defense with denial is always better than reactive detection.

For further information on Bitdefender Hypervisor Introspection, please download our datasheet or contact us here.

tags

Business Insights

Author

Michael Rosen

Michael Rosen

Michael is Director of Technical Product Marketing for Bitdefender’s Data Center and Network Security Products. He has an MBA in Information Systems, a JD in Law, and 20 years of experience bringing innovative enterprise security software systems to market. Michael enjoys diving deep into products and making technical content accessible to general audiences.

View all posts

Right now Top posts

ShrinkLocker (+Decryptor): From Friend to Foe, and Back Again
Ransomware Threat Research Threat Intelligence

ShrinkLocker (+Decryptor): From Friend to Foe, and Back Again

November 13, 2024

Bitdefender Threat Debrief | November 2024
Enterprise Security Ransomware Bitdefender Threat Debrief

Bitdefender Threat Debrief | November 2024

November 07, 2024

5 Approaches to Counter a Cybercriminal’s Growing Arsenal
Enterprise Security Threat Research

5 Approaches to Counter a Cybercriminal’s Growing Arsenal

November 06, 2024

Bitdefender Threat Debrief | October 2024
Enterprise Security Ransomware Bitdefender Threat Debrief

Bitdefender Threat Debrief | October 2024

October 10, 2024

FOLLOW US ON SOCIAL MEDIA

SUBSCRIBE TO OUR NEWSLETTER

Don’t miss out on exclusive content and exciting announcements!

You might also like

Empowering MSP Workflows: Bitdefender’s New ConnectWise PSA Integration Update
Enterprise Security Endpoint Protection & Management

Empowering MSP Workflows: Bitdefender’s New ConnectWise PSA Integration Update
Bitdefender Enterprise

November 21, 2024

Security Advisory: Adversaries Abuse Microsoft Teams and Quick Assist
Enterprise Security Endpoint Detection and Response

Security Advisory: Adversaries Abuse Microsoft Teams and Quick Assist
Jade Brown and Nikki Salas

November 20, 2024

Balancing User Experience with Security: A New Frontier for CISOs in Minimizing Business Risk Exposure
Enterprise Security Endpoint Protection & Management Endpoint Detection and Response

Balancing User Experience with Security: A New Frontier for CISOs in Minimizing Business Risk Exposure
Daniel Daraban

November 19, 2024

Bookmarks

loader