Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:06 PM
Connect Directly

Microsoft Issues Emergency Fix For Internet Explorer Zero-Day

'Fix-it' shipped in the wake of at least two targeted attack campaigns exploiting a newly found bug in IE10

Microsoft has released a temporary workaround tool for a newly discovered zero-day flaw in Internet Explorer that has been spotted being abused in at least two targeted attack campaigns.

Two different cyberespionage attack groups have been seen exploiting the use-after-free bug in Internet Explorer 10 – IE9 also has the same bug – that lets attackers remotely run code via malicious JavaScript. Earlier versions of the browser don't contain the flaw.

"At this time, we are only aware of limited, targeted attacks against Internet Explorer 10. This issue allows remote code execution if users browse to a malicious website with an affected browser. This would typically occur by an attacker convincing someone to click a link in an email or instant message," said Dustin Childs, group manager of response communications for Microsoft's Trustworthy Computing group. The one-click Fix it released by Microsoft protects against the known attacks that exploit the bug, he said.

"Internet Explorer 11 is not affected by this issue, so upgrading to this version will also help protect customers from this issue," Childs said.

FireEye last Thursday warned of a new zero-day watering hole attack where the U.S. Veterans of Foreign Wars website was being used to serve up drive-by malware attacks. Dubbed "Operation Snowman" by FireEye, the targeted attack campaign employed malicious JavaScript and an iFrame targeting the zero-day IE bug. The malicious JavaScript code loads a Flash object that in turn infects the victim with a payload that downloads a backdoor ZxShell Trojan.

[Military personnel appear to be the targets of watering-hole attacks from a hacked VFW website. See Snowman Attack Campaign Targets IE10 Zero-Day Bug .]

Websense then revealed that they had seen another targeted attack by the same group and using the same 0day as in the VFW attack, but which began earlier, around January 20. The attack targeted a French aerospace association, Groupement des Industries Francaises Aeronautiques et Spatiales (GIFAS), by setting up a phony and malware-ridden website posing as GIFAS's legitimate site.

But yesterday, researchers at Seculert challenged Websense's theory that the two attacks were by the same group. Aviv Raff, CTO at Seculert, says his firm found a different exploit targeting GIFAS. "Our research shows that these are two different attacking groups, with two different targets," but both exploiting the same IE zero-day flaw, Raff says.

They have "almost identical elements of the exploit," he says, which indicates the two groups purchased the exploit from the same creator or seller. Both attacks have the earmarks of Chinese cyberespionage actors, he says.

"While the attack described by FireEye was a watering hole, the attack vector on the French company was probably a spear phishing email, because the attackers were using a fake website of GIFAS," Raff says. Raff says it is likely part of a broader campaign targeting the aerospace industry, but that the malware his firm found was customized to attack remote users at a specific multinational aircraft and rocket engine manufacturer, including its employees, partners and third-party vendors.

"Our analysis reveals that a totally different malware than ZXShell, the culprit as identified by FireEye, was used and has the following capabilities: backdoor (Remote Access Tool), downloader, and information stealer," Seculert wrote in a blog post describing the attack. "The malware drops 2 files: MediaCenter.exe – a copy of itself, and MicrosoftSecurityLogin.ocx, which is registered as an ActiveX – used by malware to steal information from browsing sessions. Once installed the malware communicates with a criminal command and control server (C&C)."

The command and control server and the exploit reside on the same server in the U.S. In addition, the malware comes with a valid digital certificate, from Micro Digital Inc.

There's been no indication publicly that the IE 0day has been commercialized for traditional cybercriminals just yet, but it's only a matter of time. "We haven't seen attackers incorporate the 0-day in exploit kits just yet. But, as we've seen with past 0-days, it shouldn't take them too long," Raff says.

Another Day, Another 0Day
Meanwhile, FireEye today disclosed details of yet another cyberespionage campaign using another zero-day flaw —this time in Adobe Flash. The so-called "Operation Greedywonk" is targeting U.S. think tank websites, and FireEye estimates that thousands of visitors to those sites have been infected.

Adobe today issued an out-of-band patch to fix flaws in Flash Player, including the bug used in the zero-day attacks in Operation Greedywonk.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.