Attacks/Breaches
2/20/2014
04:06 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Microsoft Issues Emergency Fix For Internet Explorer Zero-Day

'Fix-it' shipped in the wake of at least two targeted attack campaigns exploiting a newly found bug in IE10

Microsoft has released a temporary workaround tool for a newly discovered zero-day flaw in Internet Explorer that has been spotted being abused in at least two targeted attack campaigns.

Two different cyberespionage attack groups have been seen exploiting the use-after-free bug in Internet Explorer 10 – IE9 also has the same bug – that lets attackers remotely run code via malicious JavaScript. Earlier versions of the browser don't contain the flaw.

"At this time, we are only aware of limited, targeted attacks against Internet Explorer 10. This issue allows remote code execution if users browse to a malicious website with an affected browser. This would typically occur by an attacker convincing someone to click a link in an email or instant message," said Dustin Childs, group manager of response communications for Microsoft's Trustworthy Computing group. The one-click Fix it released by Microsoft protects against the known attacks that exploit the bug, he said.

"Internet Explorer 11 is not affected by this issue, so upgrading to this version will also help protect customers from this issue," Childs said.

FireEye last Thursday warned of a new zero-day watering hole attack where the U.S. Veterans of Foreign Wars website was being used to serve up drive-by malware attacks. Dubbed "Operation Snowman" by FireEye, the targeted attack campaign employed malicious JavaScript and an iFrame targeting the zero-day IE bug. The malicious JavaScript code loads a Flash object that in turn infects the victim with a payload that downloads a backdoor ZxShell Trojan.

[Military personnel appear to be the targets of watering-hole attacks from a hacked VFW website. See Snowman Attack Campaign Targets IE10 Zero-Day Bug .]

Websense then revealed that they had seen another targeted attack by the same group and using the same 0day as in the VFW attack, but which began earlier, around January 20. The attack targeted a French aerospace association, Groupement des Industries Francaises Aeronautiques et Spatiales (GIFAS), by setting up a phony and malware-ridden website posing as GIFAS's legitimate site.

But yesterday, researchers at Seculert challenged Websense's theory that the two attacks were by the same group. Aviv Raff, CTO at Seculert, says his firm found a different exploit targeting GIFAS. "Our research shows that these are two different attacking groups, with two different targets," but both exploiting the same IE zero-day flaw, Raff says.

They have "almost identical elements of the exploit," he says, which indicates the two groups purchased the exploit from the same creator or seller. Both attacks have the earmarks of Chinese cyberespionage actors, he says.

"While the attack described by FireEye was a watering hole, the attack vector on the French company was probably a spear phishing email, because the attackers were using a fake website of GIFAS," Raff says. Raff says it is likely part of a broader campaign targeting the aerospace industry, but that the malware his firm found was customized to attack remote users at a specific multinational aircraft and rocket engine manufacturer, including its employees, partners and third-party vendors.

"Our analysis reveals that a totally different malware than ZXShell, the culprit as identified by FireEye, was used and has the following capabilities: backdoor (Remote Access Tool), downloader, and information stealer," Seculert wrote in a blog post describing the attack. "The malware drops 2 files: MediaCenter.exe – a copy of itself, and MicrosoftSecurityLogin.ocx, which is registered as an ActiveX – used by malware to steal information from browsing sessions. Once installed the malware communicates with a criminal command and control server (C&C)."

The command and control server and the exploit reside on the same server in the U.S. In addition, the malware comes with a valid digital certificate, from Micro Digital Inc.

There's been no indication publicly that the IE 0day has been commercialized for traditional cybercriminals just yet, but it's only a matter of time. "We haven't seen attackers incorporate the 0-day in exploit kits just yet. But, as we've seen with past 0-days, it shouldn't take them too long," Raff says.

Another Day, Another 0Day
Meanwhile, FireEye today disclosed details of yet another cyberespionage campaign using another zero-day flaw —this time in Adobe Flash. The so-called "Operation Greedywonk" is targeting U.S. think tank websites, and FireEye estimates that thousands of visitors to those sites have been infected.

Adobe today issued an out-of-band patch to fix flaws in Flash Player 12.0.0.44, including the bug used in the zero-day attacks in Operation Greedywonk.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1032
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in the Euroling SiteSeeker module 3.x before 3.4.5 for EPiServer allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party inf...

CVE-2012-1417
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com.

CVE-2012-1506
Published: 2014-09-17
SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details are obtained from th...

CVE-2012-1507
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index...

CVE-2012-2583
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in Mini Mail Dashboard Widget plugin 1.42 for WordPress allows remote attackers to inject arbitrary web script or HTML via the body of an email.

Best of the Web
Dark Reading Radio