Attacks/Breaches
1/2/2013
03:05 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New IE Zero-Day Attack Bypasses Key Microsoft Security Measures

Microsoft releases temporary browser fix for new flaw being exploited in targeted attacks

Attackers cheated two widely respected Microsoft security features to wage targeted attacks via a previously unknown flaw in Internet Explorer.

Microsoft says the vulnerability resides in IE6, IE7, and IE8 only, and that attacks were waged via IE8. After first issuing an alert on the bug over the weekend, Microsoft then released a temporary workaround that prevents the exploitation of the bug. The software giant is currently working on a patch for the flaw.

Security researchers point to cyberespionage attackers possibly out of China as the culprits in the attacks, which targeted the websites of U.S.-based Council on Foreign Policy, as well as Capstone Turbine Corp. But a new Metasploit module using the bug makes attacks more likely against multiple targets, they say.

"At this point, we are aware of two sites, [and] CFR is one of them. I cannot disclose the other one. It is likely we will see more sites getting infected in the coming hours and days," says Ziv Mador, director of security research at Trustwave. Mador says he can't confirm whether the attack came out of China, but describes it as a "sophisticated" attack that employed "memory-spraying" to work around Microsoft's Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) features aimed at preventing exploitation.

Aside from the drama of a New Year zero-day attack, the exploits highlight yet another APT-type attack employing drive-by website or so-called "watering hole" techniques. This is not your typical spearphishing APT attack, where the attackers use email to go after users associated in some way with the targeted organization in hopes of gaining a foothold in their networks. With this new attack and previous ones seen in 2012, the attackers poison websites where their potential targets frequent, in hopes of infecting them and getting their foot in the door of the targeted organization.

"It is pretty similar to what we have seen in the past, planting an exploit and malware on benign websites," says Jaime Blasco, manager of AlienVault Labs. "If you are able to identify the websites that your desired victims are visiting in a regular basis, you can just put an exploit there and wait until the victim visits the site. On the other hand, you can combine the waterhole campaigns with spearphishing campaigns so you just send a link to the benign Web page within the mail to the victim, and the victim won't notice anything unusual since it is a trusted website."

Waterholing is effective because it can gather multiple targets at once, he says, and it may be an alternative to snaring users who have become more savvy about clicking on links or attachments in emails.

[Cyberespionage attackers more and more are injecting specific, legitimate websites with malware in hopes of snaring victims with common interests -- most recently, human rights organizations. See Cyberspies Target Victims Via 'Strategic' Drive-by Website Attacks.]

Blasco says the vulnerability in IE8 appears to be a "use-after-free" flaw.

Microsoft describes the bug as a remote code-execution vulnerability. It has to do with "the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer," according to Microsoft's Security Advisory on the bug. "An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website."

Meanwhile, Microsoft is urging users to install the MSHTML Shim Workaround Fix It. "We encourage customers to apply the Fix it, an easy, one-click solution offered with Security Advisory 2794220, to help ensure maximum protection," said Dustin Childs, group manager at Microsoft Trustworthy Computing, in a statement. "Additionally, customers should ensure their anti-malware solution is up-to-date and follow good network hygiene practices, such as enabling a firewall, for added protection against threats."

These types of bugs typically use JavaScript to trigger the flaw, as well as heap-spray to abuse the memory, and bypass DEP and ASLR, according to the software giant.

Microsoft studied the four exploits it has spotted in the attacks, and "they are all very similar," blogged Cristian Craioveanu and Jonathan Ness of Microsoft Security Response Center Engineering.

AlienVault's Blasco says the attackers were likely able to employ some of the DEP and ASLR bypass techniques for Windows 7 that are available online. "On the other hand, I think they spent a reasonable amount of time on the exploit since it contains a working shellcode and ROP chain for different languages, so it requires a good amount of time," he says. Blasco also blogged on his research on the exploit code.

It's unclear thus far whether the attacks are related to the so-called VOHO campaign revealed last fall by RSA Security. The massive targeted cyberespionage campaign has victimized some 900 organizations across various industries, mainly using drive-by Web attacks.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
1/7/2013 | 2:31:03 PM
re: New IE Zero-Day Attack Bypasses Key Microsoft Security Measures





I
thought most of general vulnerabilities like this one are usually
easily fixed or avoided by a patch or something simple that was not
known? It sounds like it was a very complicated attack and not
performed by the average hacker. In the end it is just a slap in the
face for Microsoft by targeting their security features directly.

Paul
Sprague

InformationWeek
Contributor


Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.