November 3, 2010

Microsoft Corp. today warned Internet Explorer users that attackers are exploiting a previously unknown security hole in the browser to install malicious software. The company is urging users who haven’t already done so to upgrade to IE8, which includes technology that makes the vulnerability more difficult to exploit.

According to the advisory Microsoft published, this is a browse-to-a-malicious-site-and-get-owned vulnerability. The company reports that the exploit code was discovered on a single Web site that is no longer online. But if past attacks against unpatched IE flaws are any indicator, it will probably not be long before the attack is stitched into plenty of other hacked and malicious Web sites.

Redmond says Data Execution Prevention (DEP) technology enabled by default in IE8 helps protect against attacks, and that the same protection is enabled on all supported platforms, including Windows XP Service Pack 3, Windows Vista Service Pack 1, Windows Vista Service Pack 2, and Windows 7. IE9 beta apparently is not at risk from this threat.

In a post to its Microsoft Security Response Center blog, the company said that it is working to develop a security update to address this attack against the flaw, but that at the moment it “does not meet the criteria for an out-of-band release.” Microsoft is expected to issue another round of security updates next week as part of its regular “Patch Tuesday” cycle, which generally occurs on the second Tuesday of each month.

Symantec Corp. has posted a fascinating blog entry that details just how targeted the attacks have been so far. It offers a peek at how these types of critical flaws in widely-used applications can be used in pinprick attacks to extract very specific information from targeted organizations and individuals. From that post:

“One such case started few days ago when we received information about a possible exploitation using older versions of Internet Explorer as targets. Hackers had sent emails to a select group of individuals within targeted organizations. Within the email the perpetrators added a link to a specific page hosted on an otherwise legitimate website.

….Looking at the log files from this exploited server we know that the malware author had targeted more than a few organizations. The files on this server had been accessed by people in lots of organizations in multiple industries across the globe. Very few of them were seen accessing the payload file, which means that most users were using a browser which wasn’t vulnerable or targeted.”

Read more from the Symantec writeup here.


10 thoughts on “Microsoft Warns of Attacks on Zero-Day IE Bug

  1. Marlene

    Brian, I am a subscriber to your email notices and others. I suppose I am “anal” when it comes to online secuirty as I have worked with computers before there was an internet.

    I have found many warnings prior to an update (mostly Microsoft, but others as well) or a work-around to an already existing issue on Shavlik’s Patchmanagement service. I am sure you are aware of it, or at least should be. It may be another source for your subscribers to use before the 2nd Tuesday rollouts of MS updates and security patches. It saved me quite a few times of the headache of dealing with problems from installing an update that only caused another issue.

    The URL for this service, it is:
    http://listserv.patchmanagement.org

  2. Again

    Get the Northrop Grumman paper “Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation” and skip to page 59, “Operational Profile of an Advanced Cyber Intrusion”. Just skim it!

    The shell commands in the Symantec blog entry are the start of the 4 bullets on page 61, collecting userids and hashes for a pass-the-hash attack, and prepping for the RDP reverse proxy (which can use the hashes). I don’t know why pass the hash doesn’t get more coverage, it pretty much opens up a Windows network once you have one machine.

    While Symantec’s Pirpi entry might be dated today the Microsoft and ThreatExpert entries are nearly a year old and the NG paper says their incident is several years before that. The TE report shows what an actual “image picture index news” URL looks like, with a full domain name that’s still registered. The TE report shows a victim that hasn’t progressed – like is happening to the victim in the Symantec blog.

    http://www.threatexpert.com/report.aspx?md5=d914569b06c219ffe1403cfa5cefb17e

    I don’t think these hackers lack for zero day exploits. This makes 3 that have come to light, they must have plenty in reserve.

    1. LonerVamp

      Not to be anal…but keep in mind the 0day against IE refers to how the attackers achieve the ability to execute their payload. The shell commands and other actions to gather info or expand influence are not part of the 0day. They’re part of the payload, which are just typical things an attacker will attempt to do. (Unless said payload is also an attack, such as a local priv escalation.)

      In short, it’s not surprising they’ve been discussed before. Unless I’m missing something you mentioned.

      Of course, the similarity to other incidents may indicate a common payload being shared in amongst attackers or the same author/group. That certainly wouldn’t be surprising.

      1. Again

        I was responding to this line from the article, in particular the word “fascinating”:

        >Symantec Corp. has posted a fascinating blog entry that
        >details just how targeted the attacks have been so far.

        That’s not a spambot/click-fraud hacker who spends half his time trawling for as many disposable victims as he can get, as fast as he can get them, for as long as he can hold them, using as many exploits as he can heap together. It’s an attacker who has a victim in mind and pulls out/creates a private exploit to accomplish a single step in his plan. The plan lasts months to a year or more, the zero day exploit stage just a few minutes.

        >Unless I’m missing something you mentioned.

        Yes, we’re interested in different aspects of this.

  3. Tom Cross

    Amazing!

    In the past, I have tried to remove IE from computers running XP – Add/Remove Windows components; search/delete iexplore, etc. only to find that typing “iexplore” in the Run command box, brings up IE…even when the exe file is nowhere to be found.

    This week we discovered that Win7 (not sure about Vista) allows you to completely remove IE from the computer using the Program (Windows components) Applet in the control panel.

    Gone…and won’t run from Run box. But what about MS updates? Doesn’t use IE anymore. Can’t tell if this is something new or may have been there for a while. Certainly interesting in light of the MS ad campaign for IE8 (“…stopped 3 million phishing attempts”) recently.

      1. hhhobbit

        TJ, that’s great if you can live without those four things. Most people can’t live without it and IE isn’t easily removed on XP. An alternative to Adobe Reader is evince:

        http://live.gnome.org/Evince/Downloads

        But evince can not open PDF encrypted files so you probably would want to use something like 7-Zip with AES encryption turned on or GPG4Win to encrypt the files if you use evince and encrypting the PDF files you send others is a mandatory requirement. You can mitigate some of the risk by offloading some of the load to Google’s gpdf doing the viewing in a browser for PDF files on the Internet in the browser as long as you use either Chrome or Firefox:

        http://securemecca.blogspot.com/2010/09/adobe-pdf-protection.html

        Warning. You cannot see attached PDF files in any web mail program other than GMail, and you would be better off using the Chrome browser if you want to download the PDF files attached to messages you read in GMail.

        You don’t really need to uninstall Java as long as the browser has support for disabling it unless you create Internet filters like I do. Even there it is just a precaution but I must say I have not needed Java for personal use for over three years now. But the recent Java KoobFace worm shows that on the Macintosh at least you are asked by both JRE and the OS before proceeding. Some idiots allowed it to proceed past both warnings. Duh!

        Removing IE on XP is problematical. You may want to consider EMET instead and especially consider EMET if you must have Java enabled all of the time for company apps:

        http://preview.tinyurl.com/28znulg

        If you dump Adobe Flash you will at least get rid of the dog and pony show ;^). Seriously though, there are many web sites that just won’t work without Flash. It is just too bad there is no way to selectively disable it. Are you listening browser creators and Adobe? Give us a way to turn off Flash just like we can turn off Java in the browser until we need it.

        Thanks for the URL. I will check the hosts but I think I have almost all of them in my blocking hosts file. Hmm, is Elenore really all that bad? I had not noticed it. Some of those php URLs actually give you encoded PDF files or EXE files. You know, a lot of this can be left behind by just using a Macintosh or Linux. It may be true that much of the reason for hackers not attacking Linux and to a lesser extent Macs is their lack of market presence. But Linux has consistently hovered around only 0.75+% of people using it for years now and will probably remain that way forever. So shifting to these other OS is is a dandy way to avoid what is primarily a Windows malware problem. I have blocked precious few Mac exploits and only one exploit that worked on Linux. That one is a JavaScript BHO ToolBar that leaves a report home to company portion after you uninstall the toolbar. All of the other Linux exploits are just POC that I have never been able to get the malware. Linux malware supposedly exists but I have never been able to get it other than that toolbar (which is actual, not POC). That is really how rare Linux malware is. My filters are available at HostsFile dot org and SecureMecca dot com.

  4. diocyde

    I will reiterate and collaborate exactly what “again” posted. Brian I have mentioned before the fact that the last 6 to 8 O-days are directly injected into the public space by Chinese cyberoperators in support of national intelligence tasking.. namely to rob America blind. Wake up and do some real investigative journalism. As collateral damage these bleed into the public and enable crime ad a post attack effect. If WC and other companies quit the crappy with worthless naming conventions and actually researched the aware and the targeted organizations then maybe they could connect the dots. The tools they use are custom and not found in the wild supporting crime. If it isn’t in the hundreds of thousands or highly advanced then AV firms rate it a low risk. They don’t tell the public these are specific cyberweapons used for wholesale rape of organizations communications, R&D, and america’s technological edge. Read more and get some knowledge. It’s high time we told them to cut the sh!t or we are going show up one day on their doorstep with a message. Need the address? Heh. Silly dragon. Diocyde.Wordpress.com

  5. diocyde

    This is CHINA intel tasking to rob America blind. They have leveraged approx 6-8 o-days in targeted attacks over the last 2-3 months. Better get a clue and do some real reporting or America wont have anything left to steal. In the mean time we can all thank them for leaving the world with nice cybercrime force multipliers so everyone else gets robbed blind as well.

  6. Vince M

    Brian,

    Does the Fixit for the IE vulnerability limit or change the way IE works? and does it need to be removed before the eventual patch is installed?

    Thanks

Comments are closed.