Multiple Targeted IE Attacks Underway, Microsoft To Release Patch Tomorrow

Microsoft today issued an interim Fix-it tool to protect Internet Explorer browsers from a zero-day vulnerability that has spawned attacks by traditional cyberespionage players out of China
Microsoft will release an emergency patch tomorrow for a zero-day flaw in Internet Explorer that has been quickly snapped up by attackers out of China.

The critical "use after free" bug, which was discovered last weekend and affects all versions of IE except for IE 10, led to warnings of avoiding IE altogether -- including the German government advising citizens to swear off IE until the bug gets patched. An attack module was added to the Metasploit tool this week, adding to concerns of a snowball effect of IE attacks by financially motivated hackers.

Most attacks spotted in the wild so far have been targeted and appear to be typical cyberespionage campaigns out of China, security expert say. "The acceleration of vulnerability discovery to weaponization and spear phish campaigns is due to the real economic value captured by the nation-state actors and cybercrime organizations through exploitation of these vulnerabilities," says Anup Ghosh, founder and CEO of Invincea.

Microsoft all along has maintained that the attacks exploiting the flaw were limited, but the software giant still responded rapidly to reports of attacks this week by issuing an interim FixIt for the vulnerability today and promising a full patch tomorrow.

[Microsoft also released a temporary fix for a zero-day vulnerability being exploited in the wild that allows for remote code execution via Internet Explorer if a user visits a rigged Web page.. See Microsoft Issues 'FixIt' For ZeroDay Plus New Updater For Windows That Fights Flame.]

"While the vast majority of people are not impacted by this issue, today Microsoft provided a temporary fix that can be downloaded with one easy click and offers immediate protection. We will also provide a permanent solution for customers that will be automatically enabled on Friday, Sept. 21, 2012," said Yunsun Wee, director of Microsoft's Trustworthy Computing Group.

Security researchers have spotted at least ten different versions of the exploit spread across different servers, each aimed a specific user. "I've seen at least ten different versions of the same IE zero-day in different severs targeting different users. Most of them contains clues that point to the same people ... Based on the analysis we did on the exploit code and the payloads they use – PoisonIvy and PlugX – it is likely that a Chinese group is behind this," says Jaime Blasco, manager of AlienVault Labs.

Blasco says the targeted organizations are the same ones who are traditionally attacked by Chinese hackers conducting cyberespionge. "Of course, in the digital world, everything can be fake and you cannot trust everything you see," he says. "[But] also based on the target list, they [the targets] are the same guys that are being targeted by the [Chinese attackers] 24/7."

And the attacks he's seen likely only scratch the surface, Blasco says. "I've found several targeted attacks going on that use that zero-day. If I'm able to find them, it is obvious there will be probably dozens of other instances out there that we are not able to identify," he says. "The instances I've found are being use to target specific sectors including Defense contractors, industrial companies, supply chain companies" in the defense industry, he says.

But with the Metasploit attack module available, it won't be long before the exploit is added to crimeware kits and used by traditional cybercriminals, he says. "It is very likely we will find this include in BlackHole and other exploit kits very soon," Blasco says.

Several security experts applauded Microsoft's quick response and patch turnaround for the IE vulnerability. But calls by some to stop using IE altogether were misguided, says Invincea's Ghosh.

"People calling for users to stop using Internet Explorer are missing the point. IE is not materially worse security-wise than the other major browsers. Its market share is what drives production of exploits -- switching from IE to other browsers will only shift malware writers to other browsers," Ghosh says. "And realistically, IE has its largest market share in business because of its group policy and business application support. So calls to switch to different browsers -- along with uninstalling Java -- neither solve the problem nor are realistic for business users."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.