April 28, 2014
FireEye Discovers Widespread Zero-Day Exploit In Internet Explorer
Lawrence LeBlond for redOrbit.com - Your Universe Online
After a web security firm identified and revealed a zero-day exploit in Internet Explorer over the weekend, Microsoft announced that it is actively investigating the vulnerability and will take “appropriate action” once it completes that investigation.
FireEye Research Labs on Saturday identified a zero-day exploit that affects IE6 through IE11 – the attack, however, only targeted IE9 through IE11. “Microsoft has assigned CVE-2014-1776 to the vulnerability and released security advisory to track this issue,” said FireEye on its blog.
Microsoft said on its Security TechCenter page that it “is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.”
“The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website,” Microsoft said.
FireEye has called the ongoing campaign – which has been affecting IE browsers since at least 2013 – by the attackers “Operation Clandestine Fox.” However, the security network said it would not disclose any campaign details for a number of reasons, but did note that the targeted zero-day exploit is significant, affecting more than 25 percent of the total browser market in 2013.
According to NetMarket Share, the share for the targeted versions in 2013 include: IE9 (13.9 percent); IE10 (11.04 percent); and IE11 (1.32 percent). Adding in the vulnerabilities with earlier IE versions – IE8 (22.48 percent); IE7 (1.73 percent); and IE6 (5.76 percent) – and the total affected share for the browser market jumps to 56.23 percent.
According to FireEye, “the exploit leverages a previously unknown use-after-free vulnerability and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections.”
“On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs,” Microsoft said on its Security TechCenter page.
It said it is working with partners through its Microsoft Active Protections Program (MAPP) to provide information that can be used to offer customers broader protections. The software giant continues to encourage its customers to follow the guidance in its Safety & Security Center of enabling a firewall, applying software updates, and installing anti-malware software to help mitigate any intrusions.
Microsoft has provided a number of mitigating factors that are meant to protect the system from this type of vulnerability attack, including running IE versions in restricted mode (Enhanced Security Configuration) and running supported versions of its mail programs in ‘Restricted sites zone.’
Also, an attacker who exploits this vulnerability could gain the same user rights as the content user. To help mitigate this vulnerability, users should have accounts that are configured to have fewer rights on their system, rather than running with administrative user rights.
The vulnerability could be further mitigated by avoiding untrusted websites and not clicking on advertisements or other content that seem suspicious, as well as not clicking on links in email or Instant Messenger messages.
FireEye also noted that EMET may break the exploit and prevent it from successfully controlling your system. It said EMET versions 4.1 and 5.0 break (and/or detect) the exploit in its tests. It also maintained that Enhanced Protected Mode (available in IE10 and later) in IE also breaks the exploit in its tests. Additionally, disabling the Adobe Flash plugin in IE will prevent the exploit from functioning.
FireEye said, “The APT group responsible for this exploit has been the first group to have access to a select number of browser-based 0-day exploits (e.g. IE, Firefox, and Flash) in the past. They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure.”
“They have a number of backdoors including one known as Pirpi that we previously discussed here. CVE-2010-3962, then a 0-day exploit in Internet Explorer 6, 7, and 8 dropped the Pirpi payload discussed in this previous case,” FireEye concluded in its blog.
Because the investigation is still in active mode, no further details and/or indicators about the exploit are available at this time.