Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/20/2012
02:11 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Multiple Targeted IE Attacks Underway, Microsoft To Release Patch Tomorrow

Microsoft today issued an interim Fix-it tool to protect Internet Explorer browsers from a zero-day vulnerability that has spawned attacks by traditional cyberespionage players out of China

Microsoft will release an emergency patch tomorrow for a zero-day flaw in Internet Explorer that has been quickly snapped up by attackers out of China.

The critical "use after free" bug, which was discovered last weekend and affects all versions of IE except for IE 10, led to warnings of avoiding IE altogether -- including the German government advising citizens to swear off IE until the bug gets patched. An attack module was added to the Metasploit tool this week, adding to concerns of a snowball effect of IE attacks by financially motivated hackers.

Most attacks spotted in the wild so far have been targeted and appear to be typical cyberespionage campaigns out of China, security expert say. "The acceleration of vulnerability discovery to weaponization and spear phish campaigns is due to the real economic value captured by the nation-state actors and cybercrime organizations through exploitation of these vulnerabilities," says Anup Ghosh, founder and CEO of Invincea.

Microsoft all along has maintained that the attacks exploiting the flaw were limited, but the software giant still responded rapidly to reports of attacks this week by issuing an interim FixIt for the vulnerability today and promising a full patch tomorrow.

[Microsoft also released a temporary fix for a zero-day vulnerability being exploited in the wild that allows for remote code execution via Internet Explorer if a user visits a rigged Web page.. See Microsoft Issues 'FixIt' For ZeroDay Plus New Updater For Windows That Fights Flame.]

"While the vast majority of people are not impacted by this issue, today Microsoft provided a temporary fix that can be downloaded with one easy click and offers immediate protection. We will also provide a permanent solution for customers that will be automatically enabled on Friday, Sept. 21, 2012," said Yunsun Wee, director of Microsoft's Trustworthy Computing Group.

Security researchers have spotted at least ten different versions of the exploit spread across different servers, each aimed a specific user. "I've seen at least ten different versions of the same IE zero-day in different severs targeting different users. Most of them contains clues that point to the same people ... Based on the analysis we did on the exploit code and the payloads they use – PoisonIvy and PlugX – it is likely that a Chinese group is behind this," says Jaime Blasco, manager of AlienVault Labs.

Blasco says the targeted organizations are the same ones who are traditionally attacked by Chinese hackers conducting cyberespionge. "Of course, in the digital world, everything can be fake and you cannot trust everything you see," he says. "[But] also based on the target list, they [the targets] are the same guys that are being targeted by the [Chinese attackers] 24/7."

And the attacks he's seen likely only scratch the surface, Blasco says. "I've found several targeted attacks going on that use that zero-day. If I'm able to find them, it is obvious there will be probably dozens of other instances out there that we are not able to identify," he says. "The instances I've found are being use to target specific sectors including Defense contractors, industrial companies, supply chain companies" in the defense industry, he says.

But with the Metasploit attack module available, it won't be long before the exploit is added to crimeware kits and used by traditional cybercriminals, he says. "It is very likely we will find this include in BlackHole and other exploit kits very soon," Blasco says.

Several security experts applauded Microsoft's quick response and patch turnaround for the IE vulnerability. But calls by some to stop using IE altogether were misguided, says Invincea's Ghosh.

"People calling for users to stop using Internet Explorer are missing the point. IE is not materially worse security-wise than the other major browsers. Its market share is what drives production of exploits -- switching from IE to other browsers will only shift malware writers to other browsers," Ghosh says. "And realistically, IE has its largest market share in business because of its group policy and business application support. So calls to switch to different browsers -- along with uninstalling Java -- neither solve the problem nor are realistic for business users."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
CVE-2021-29446
PUBLISHED: 2021-04-16
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
CVE-2021-29451
PUBLISHED: 2021-04-16
Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.
CVE-2021-29452
PUBLISHED: 2021-04-16
a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this ...
CVE-2021-29444
PUBLISHED: 2021-04-16
jose-browser-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDec...