- The Zscaler Experience
Your world, secured
Experience the transformative power of zero trust.
Zscaler: A Leader in the 2023 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
Get the full report
![gartner magic quadrant]( "gartner magic quadrant")
Zero Trust Fundamentals
-
What is Zero Trust?
-
What is Security Service Edge (SSE)?
-
What is Secure Access Service Edge (SASE)?
-
What is Zero Trust Network Access (ZTNA)?
-
What is Secure Web Gateway (SWG)?
-
What is Cloud Access Security Broker (CASB)?
-
What is a Cloud Native Application Protection Platform (CNAPP)?
-
Zero Trust Resources
-
- Products & Solutions
![test]( "test")
Secure Your Users
Provide users with seamless, secure, reliable access to applications and data.
![test]( "test")
Secure Your Workloads
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
![test]( "test")
Secure Your IoT and OT
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Products
Transform your organization with 100% cloud native services
Solution Areas
Propel your business with zero trust solutions that secure and connect your resources
-
Stop Cyberattacks
-
Protect Data
-
Zero Trust App Access
-
VPN Alternative
-
Accelerate M&A Integration
-
Optimize Digital Experiences
-
Zero Trust SD-WAN
-
Build and Run Secure Cloud Apps
-
Zero Trust Cloud Connectivity
-
Zero Trust for IoT/OT
-
Zero Trust for Private 5G
-
Find a product or solution
-
Find a product or solution
-
- Platform
Zero Trust Exchange Platform
Learn how Zscaler delivers zero trust with a cloud native platform built on the world’s largest security cloud.
![test]( "test")
Transform with Zero Trust Architecture
Propel your transformation journey
Secure Your Business Goals
Achieve your business and IT initiatives
- Resources
- Company
Security Insights
CVE-2012-1889 Is Still Alive!
In Zscaler’s dailyscanning, we identified an instance where CVE-2012-1889 (MSXML Uninitialized Memory Corruption Vulnerability) is still alive. Lets take a look.
![]()
![]()
![]()
The highlighted code shows that the a CLSID object is being used, which is exploited by parsing long strings of the letter “A”. This CLSID object is related to the vulnerability detailed in CVE-2012-1889.
![]()
![]()
![]()
![]()
![]()
![]()
An interesting observation is that the javascript is written in such a way that it only works on IE. It avoids delivering an unnecessary heap spray when loaded in another browser. That’s why when you open this site with IE it crashes IE and while opening with any other browser it works fine. It does however attempt to serve alternate malicious files to other browser users such as the samples described below.
![]()
![]()
![]()
The site hxxp://wm.17wan.info:9999/zx/zip.html?mag.fznews.com.cn is a Chinese site, which targets online gamers by serving malicious code which exploits Microsoft XML Core Services. This attack allows a remote attacker to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site. The site serves highly obfuscated code to evade antivirus solutions.
VirusTotal lookup
You can see the highly obfuscated code served by the malicious site in the screen shot below.
Lets take a look at a beautified version of this code.
This highlighted section shows the suspicious function, which leverages the shell code for exploiting the vulnerability.
Here function heapLib() performs a heap spray. You can see the complete series of functions utilized in the full attack.
Let's decode the script which is shown in first screen shot
The decrypted source code shows that random named parameters are used for obfuscation of the original code. The chunks of code are combined into a final code snippet, which is then decoded again for making the actual shell code. Here you can see that the variable “t” is using the “MYKEY” parameter and “MYKEY” is using the “MY” parameter to construct the final chunk. This final chunk is again decoded by the function utf8to6() and nbcode(), which are defined in the source code for the final payload and that is used by the window object. At the end of the code the “t” variable generates the final javascript snippet which executes the shellcode.
This is the javascript which is generated at variable “t”. Again, this script is obfuscated. Obfuscation is primarily used by malware authors to avoid antivirus detection. It should be noted that malware authors do not always leverage 0-days, in fact most technical attacks utilize known vulnerabilities as attackers know that a large percentage of PC users have not applied the latest patches.
Here you can see the sourcode contains a link which drops a malicious Rar file.
VirusTotal lookup
HTTP Transactions
This site makes a connection with following sites
- Js.users.51.la
- Web1.51.la:82
Zscaler provides complete protection for these threats.
Get the latest Zscaler blog updates in your inbox
Subscription confirmed. More of the latest from Zscaler, coming your way soon!
By submitting the form, you are agreeing to our privacy policy.