04:06 PM
Connect Directly

Microsoft Issues Emergency Fix For Internet Explorer Zero-Day

'Fix-it' shipped in the wake of at least two targeted attack campaigns exploiting a newly found bug in IE10

Microsoft has released a temporary workaround tool for a newly discovered zero-day flaw in Internet Explorer that has been spotted being abused in at least two targeted attack campaigns.

Two different cyberespionage attack groups have been seen exploiting the use-after-free bug in Internet Explorer 10 – IE9 also has the same bug – that lets attackers remotely run code via malicious JavaScript. Earlier versions of the browser don't contain the flaw.

"At this time, we are only aware of limited, targeted attacks against Internet Explorer 10. This issue allows remote code execution if users browse to a malicious website with an affected browser. This would typically occur by an attacker convincing someone to click a link in an email or instant message," said Dustin Childs, group manager of response communications for Microsoft's Trustworthy Computing group. The one-click Fix it released by Microsoft protects against the known attacks that exploit the bug, he said.

"Internet Explorer 11 is not affected by this issue, so upgrading to this version will also help protect customers from this issue," Childs said.

FireEye last Thursday warned of a new zero-day watering hole attack where the U.S. Veterans of Foreign Wars website was being used to serve up drive-by malware attacks. Dubbed "Operation Snowman" by FireEye, the targeted attack campaign employed malicious JavaScript and an iFrame targeting the zero-day IE bug. The malicious JavaScript code loads a Flash object that in turn infects the victim with a payload that downloads a backdoor ZxShell Trojan.

[Military personnel appear to be the targets of watering-hole attacks from a hacked VFW website. See Snowman Attack Campaign Targets IE10 Zero-Day Bug .]

Websense then revealed that they had seen another targeted attack by the same group and using the same 0day as in the VFW attack, but which began earlier, around January 20. The attack targeted a French aerospace association, Groupement des Industries Francaises Aeronautiques et Spatiales (GIFAS), by setting up a phony and malware-ridden website posing as GIFAS's legitimate site.

But yesterday, researchers at Seculert challenged Websense's theory that the two attacks were by the same group. Aviv Raff, CTO at Seculert, says his firm found a different exploit targeting GIFAS. "Our research shows that these are two different attacking groups, with two different targets," but both exploiting the same IE zero-day flaw, Raff says.

They have "almost identical elements of the exploit," he says, which indicates the two groups purchased the exploit from the same creator or seller. Both attacks have the earmarks of Chinese cyberespionage actors, he says.

"While the attack described by FireEye was a watering hole, the attack vector on the French company was probably a spear phishing email, because the attackers were using a fake website of GIFAS," Raff says. Raff says it is likely part of a broader campaign targeting the aerospace industry, but that the malware his firm found was customized to attack remote users at a specific multinational aircraft and rocket engine manufacturer, including its employees, partners and third-party vendors.

"Our analysis reveals that a totally different malware than ZXShell, the culprit as identified by FireEye, was used and has the following capabilities: backdoor (Remote Access Tool), downloader, and information stealer," Seculert wrote in a blog post describing the attack. "The malware drops 2 files: MediaCenter.exe – a copy of itself, and MicrosoftSecurityLogin.ocx, which is registered as an ActiveX – used by malware to steal information from browsing sessions. Once installed the malware communicates with a criminal command and control server (C&C)."

The command and control server and the exploit reside on the same server in the U.S. In addition, the malware comes with a valid digital certificate, from Micro Digital Inc.

There's been no indication publicly that the IE 0day has been commercialized for traditional cybercriminals just yet, but it's only a matter of time. "We haven't seen attackers incorporate the 0-day in exploit kits just yet. But, as we've seen with past 0-days, it shouldn't take them too long," Raff says.

Another Day, Another 0Day
Meanwhile, FireEye today disclosed details of yet another cyberespionage campaign using another zero-day flaw —this time in Adobe Flash. The so-called "Operation Greedywonk" is targeting U.S. think tank websites, and FireEye estimates that thousands of visitors to those sites have been infected.

Adobe today issued an out-of-band patch to fix flaws in Flash Player, including the bug used in the zero-day attacks in Operation Greedywonk.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

Published: 2014-10-22
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.