28
Dec 12

Attackers Target Internet Explorer Zero-Day Flaw

facebooktwittergoogle_plusredditpinterestlinkedinmail

Attackers are breaking into Microsoft Windows computers using a newly discovered vulnerability in Internet Explorer, security experts warn. While the flaw appears to have been used mainly in targeted attacks so far, this vulnerability could become more widely exploited if incorporated into commercial crimeware kits sold in the underground.

IEwarningIn a blog posting Friday evening, Milpitas, Calif. based security vendor FireEye said it found that the Web site for the Council on Foreign Relations was compromised and rigged to exploit a previously undocumented flaw in IE8 to install malicious software on vulnerable PCs used to browse the site.

According to FireEye, the attack uses Adobe Flash to exploit a vulnerability in the latest (fully-patched) version of IE8. Dustin Childs, group manager for response communications at Microsoft, said the vulnerability appears to exist in previous versions of IE.

“We are actively investigating reports of a small, targeted issue affecting Internet Explorer 6-8,” Childs said in an emailed statement. “We will take appropriate action to help keep customers protected once our analysis is complete. People using Internet Explorer 9-10 are not impacted.”

As FireEye notes, this is another example of a “watering hole” attack, which involves the targeted compromise of legitimate websites thought to be of interest to or frequented by end users who belong to organizations that attackers wish to infiltrate. Earlier this year, I wrote about similar zero-day attacks against visitors to the Web sites of the National Democratic Institute, The Carter Center, and Radio Free Europe.

Update, Dec. 30, 9:25 a.m. ET: Microsoft has officially acknowledged this vulnerability in an advisory, which contains some advice for IE users about how to mitigate the threat. As IE versions 9 and 10 are not impacted, users running Windows Vista or higher can upgrade to the latest browser version here.

Update, Jan.1 8:56 p.m. ET: Microsoft’s advisory now includes a link to a stopgap “FixIt” solution that may help to blunt attacks until the company issues an official patch for this vulnerability.

Tags: , , , , , , , , , ,

46 comments

  1. As one celebrity site noted, you might get access to Angelina Jolie – since she’s a member of the CFR.

    Now that kind of hack I could get behind! :-)

  2. “We will take appropriate action to help keep customers protected once our analysis is complete. People using Internet Explorer 9-10 are not impacted.” So when can we expect a fix?

    • Well my Internet Explorer 9 is impacted on my computer, with a small box that says “message from webpage” with exclamation point, and “object error”. So please let me know when they will have a patch ready.

  3. It’s worth noting that IE9 is not supported on Windows XP, so this vulnerability is probably most dangerous for XP users who browse with IE.

  4. Rabid Howler Monkey

    Windows Vista and 7 were initially released with Internet Explorer 7 and 8, respectively. Thus, Windows Vista and 7 users can protect themselves by ensuring that they have upgraded to the latest version of Internet Explorer that their OS supports, Internet Explorer 9 in both cases.

    You can click the Internet Explorer menu item ‘Help’ -> ‘About Internet Explorer’ to check the installed version on your Vista or 7 system. If you’re not running Internet Explorer 9, then it’s time to upgrade through Windows Update (just note that “IE 9 will not install automatically on machines. Users will have to agree to install IE 9.”):

    http://blogs.windows.com/ie/b/ie/archive/2011/04/14/updating-ie9-through-windows-update.aspx

    Alternatively, IE9 can be downloaded from Microsoft’s Download Center and installed (scroll down for instructions):

    “Windows Internet Explorer 9 for Windows Vista and Windows Server 2008
    http://www.microsoft.com/en-us/download/details.aspx?id=16792

    “Windows Internet Explorer 9 for Windows 7
    http://www.microsoft.com/en-us/download/details.aspx?id=13950

  5. Our lil Chinese hackers are at it again from the looks of things. While no one is saying it is officially from the looks of the stories it sure seems this way. WhatI am starting to wonder is if they are buying vulnerabilities or if there hacking heirarchy is that good at the development. I read a report were different hacking teams look after different aspects of the work, some look after the low level stuff, some create the targets for the phish e-mails, some create the actual way the exploit is package and others control the information flow. If these guys are finding the exploits, then they seem to be awfully good at it. I don’t know the exact total but I believe it is 7 or 8 previously unknown exploits that they have deployed ( if Brian or someone else knows the exact total feel free to correct me ) But I have to wonder if they dont have an inside source for all the exploits they seem to be finding that have been uknown till they have used them, it just seems a little uncanny. I am sure they might be finding some of these, but I wonder if they are gleaning some inside source and buying some of these. It seems more and more that industrial and goverment espionage are becoming China’s secret weapon

    • You don’t know the half of it – and the Chinese aren’t the only culprits. We cover only a minuscule portion of the attack methods used in concerted efforts by industrial espionage groups on this blog. I’m not sure anyone could cover much more.

  6. well good example brian you have 50$ and open carding forum account in there and done:) website http://www.omerta.cc lots stuff is there publick so should be taked down,this stupid site.canada identies are sold there like fresh bread.
    dob,dl and other,

  7. Is this not the exact scenario that DEP was supposed to protect against? So long as the heap is either executable or writable it should not be possible to get the CPU to jump to the heap-sprayed code fragments. Does IE not make use of DEP?

    • Hi Freddie,

      Yes IE uses DEP but DEP cannot protect you when it has been bypassed. DEP has been available in Windows since the release of XP SP2 in August 2004. It was not until the release of IE 8 in March 2009 that DEP was enabled by default for IE on Windows XP. IE8 also enabled DEP by default on Vista SP1 and SP2 and Windows 7.

      In addition since XP SP2 all versions of Internet Explorer have been built with /GS (Guard Stack Buffer Overflow protection) and SAFESEH enabled.

      The reason why this exploit works is that it bypasses DEP using Return Oriented Programming. The current exploit is bypassing ASLR by using a Java DLL or Microsoft Office DLL that are known to be loaded at pre-determined locations.

      This was mentioned by Microsoft in the following blog post:

      http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx

      This exploit is far from the first time DEP and ASLR have been bypassed. For example the Zero day flaw in IE back in September also did this:

      http://blogs.technet.com/b/srd/archive/2012/09/19/more-information-on-security-advisory-2757760-s-fix-it.aspx

      Further examples are from available from:

      http://blogs.technet.com/b/srd/archive/2010/01/20/reports-of-dep-being-bypassed.aspx

      http://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx

      Note that DEP does not prevent a program from allocating RWX (Read, write execute) memory. This is what the exploit appears to use since a de-allocated (already freed) RWX piece of memory is heap sprayed and then executed (this may involve the injected DLL calling a function stored in that freed chunk of memory). Obviously exact details aren’t provided.

      Since Microsoft EMET pre-allocates commonly heap sprayed memory locations when enabled for IE, this exploit is blocked by EMET. EMET’s EAF mitigation also blocks the shellcode used in this exploit. In addition, the Java or Offic DLLs are no longer placed at pre-determined locations.

      The technique of heap spraying is far less effective against 64 bit versions of IE for the following reason:

      64 bit programs are harder to exploit since they make use of a much larger address space than 32 bit programs. Thus heap spraying techniques are far less effective since the HEASLR (High Entropy Address Space Layout Randomization) of a 64 bit process makes this technique impractical.

      Microsoft mentions this in the following blog post:

      http://blogs.msdn.com/b/ie/archive/2012/03/14/enhanced-protected-mode.aspx

      I hope the above information answers your question. Thank you.

  8. Well I can at least set the Flash kill bit even if I can’t rid my XP system of IE8.

  9. I think that if I were still using an XP system I would give serious thought to upgrading to Linux.
    And Brian, someone has stolen the hyphen from your US-CERT link.

  10. Rabid Howler Monkey

    From the Microsoft advisory linked in Brian’s update to the article, under “Mitigating Factors”:

    “By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.

    A question: Why doesn’t Microsoft, by default, have Internet Explorer running in Enhanced Security Configuration on it’s client operating systems (e.g., Windows XP, Vista and 7)?

    This, at least, would give some fraction of it’s consumer, SOHO and small business customers a fighting chance. They’d at least have an opportunity to think about adding unknown web sites to Internet Explorer’s Trusted Zone.

    • Interesting RHM!;

      I’ve noticed in my honey pot lab lately, that about 85% of the time, IE9 will block or otherwise detect bad files/URLs when I’m testing for malware – I have to actually blow through the usual protections given by the IE browser and operating system to get to a point that my other defenses can be tested. This has become a joke to do lately, because most of the previous zero day sites, are already dead, after 24 hours and no malicious files can be downloaded.

      It has come to acquiring junk email accounts full of spam to test for today’s threats. I must give credit to Matt over at Remove-Malware.com for this tip, to be honest about it. Now I doubt I have ESC on Microsoft Windows Vista Ultimate x64, but the regular restricted rights protections are pretty darn good compared to the not-t00-distant past. I’ve pretty much closed my honey pot lab and simply watch Matt’s YouTube videos to see how the latest anti-malware performs. Besides – I’m too lazy to go to VM technology, and my clients won’t do that anyway. I still get action simply testing software, and visiting IT related sites; that is where the real danger is for malware infections, in my case.

      I never cease to be amazed at how many OEM driver/software packages are infected from the factory by PUPs and malware that attempt to steal my checking/credit card account information from SSL sessions at local government, banking, or shopping sites. One of them from Brother printers, sent out probes to assess my networks vulnerabilities, and fortunately my UTM gateway caught the traffic, and the attempts to send information out of the LAN. I was able to rid myself of this problem, by downloading the new driver from the Brother site – but I lodged a complaint with them about their suspicious CDs and whoever they hired to burn them. I’m getting bad files from all the OEMs at any given test session.

      • Rabid Howler Monkey

        Here’s another example. In this case, however, Internet Explorer 9 is the only version affected. Here’s the link to Microsoft’s Security Bulletin:

        http://technet.microsoft.com/en-us/security/bulletin/ms12-071

        First, it’s important to note that the vulnerabilities in MS12-071 were privately reported and were not in-the-wild at the time the bulletin was released. What’s important to capture from this bulletin follows.

        First, from the “Executive Summary”:

        “This security update is rated Critical for Internet Explorer 9 on Windows clients and Moderate for Internet Explorer 9 on Windows servers.

        Why is the security update rated less critical for Internet Explorer 9 on Windows servers than on Windows clients? Note that there are 3 vulnerabilities covered by this bulletin:

        o CFormElement Use After Free Vulnerability – CVE-2012-1538
        o CTreePos Use After Free Vulnerability – CVE-2012-1539
        o CTreeNode Use After Free Vulnerability – CVE-2012-4775

        There is a common mitigating factor for each of these vulnerabilities:

        “By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.

        Sound familiar? You see, it matters with Internet Explorer 9 too.

        • Oh yeah! Definitely;

          I don’t have ESC, but I do have EMET – now whether I am implementing it correctly is another question.

          Thank you RHM for bringing this to the discussion!

          • Hi JCitizen,

            If you wish I can assist you by answering any questions you may have about EMET.

            I help out when I can on the EMET forum and have received 50 recognition points for my contributions.

            Thank you and Happy New Year.

    • Dear Rabid,
      When enabled, IE ESC makes normal web browsing almost impossible as it disables all sorts of dynamic content (plug-ins, javascript). IE ESC requires that you explicitly add all your domains that you trust into the Trusted Sites zone. If you have ever browsed a single website with IE ESC enabled, then you know that this mode is not suitable for end users on Windows desktops, which is why this mode is only enabled on Windows Server by default.

      • Rabid Howler Monkey

        My understanding, of Windows Server 2003 anyway, is that one can disable the message box which informs the user that active content is blocked (and is a PITA). And, when disabled, an Internet Explorer menu item ‘File’ -> ‘Add this site to’ is available which pops up a window with a choice of Security Zones. This allows a user to go to a URL and easily add the URL to the Trusted Zone. How is this behavior more difficult than managing Favorite sites in Internet Explorer?

  11. MS Fix it released for IE 0-day…
    - http://technet.microsoft.com/en-us/security/advisory/2794220
    Updated: Dec 31, 2012 – “… Workarounds: Apply the Microsoft Fix it solution, “MSHTML Shim Workaround”, that prevents exploitation of this issue. See Microsoft Knowledge Base Article 2794220* …”
    * http://support.microsoft.com/kb/2794220#FixItForMe
    Last Review: Dec 31, 2012 – Rev 1.0

    .

  12. Please find below the best description that I have encountered so far of how this zero day attack works:

    http://www.symantec.com/connect/blogs/internet-explorer-zero-day-used-watering-hole-attack-qa

    All of the previous descriptions that have I read simply mention how DEP and ASLR are bypassed and then exploit code is run. This blog post actually gives a step by step description of how this is achieved.

    • Thanks JimboC:

      But I can’t help thinking that even if you get past DEP, my other defenses will stomp the offender! Just sayin’ – and BTW – I don’t need Symantec – although I do offer it to clients who seem to need IT hand holding! ;)

      • Hi JCitizen and Rabid Howler Monkey,

        I wasn’t trying to promote Symantec when I posted that link. I simply wished to provide the best information I had encountered so far.

        According to Sophos, running as a limited user on your PC also offers significant protection against this exploit.

        http://nakedsecurity.sophos.com/2012/12/31/zero-day-vulnerability-in-internet-explorer-being-used-in-targeted-attacks-fixit-now-available/

        Thanks for your additional suggestions about JavaScript and iFrames, I will implement these too.

        JCitizen you are right when you say that even if DEP is bypassed your other defenses would still stomp on the attack, after all that is what defense-in-depth is all about. Since EMET by default enforces mandatory ASLR it makes a great defense (not even counting its many other mitigations) and this is just one of your extra defenses.

        Thank you both for your kind words.

        • Hi JCitizen and Rabid Howler Monkey,

          I followed your advice of disabling iFrames and JavaScript. I use IE 10 Release Preview (installed November 2012) installed on Windows 7 64 bit SP1. IE 10 has all security updates installed.

          I also have Enhanced Protected Mode and EMET 3.0 enabled for IE. I also use ActiveX Filtering and Tracking Protection (I realize ActiveX filtering is very similar to Enhanced Protected Mode but there is a difference and the difference is why I keep both enabled).

          I used the following sources of information to allow me to disable the above 2 features:

          iFrames:

          http://answers.microsoft.com/en-us/ie/forum/ie8-windows_other/anyway-to-completely-disable-iframes/2f4c16cb-d7bf-4b97-a5d3-8e7a963af835

          JavaScript:

          http://stackoverflow.com/questions/4667253/how-to-disable-javascript-in-ie9-beta

          The only trouble I have encountered is with JavaScript fully disabled, the 10 clickable most visited sites on the new tab page of IE no longer appear. This is a large drawback since I use these very often. I use the Favorites bar extremely often too but the 10 most popular sites links save me a lot of time. For this reason I am keeping JavaScript enabled. If I am suspicious of any site that I visit I will disable it.

          I like reducing my attack surface and all of the above measures help to keep my PCs safe. This latest Zero day flaw does NOT have me running scared but the above changes do help harden IE against future attack.

          Thanks again and thanks to Brian for his excellent steps to keep your PC safe.

    • Rabid Howler Monkey

      JimboC, thanks for posting this information as well as your prior posts.

      Following the advice in Brian’s “Tools for a Safer PC” article will protect one’s Windows XP/Vista/7-based PC against this exploit:

      http://krebsonsecurity.com/tools-for-a-safer-pc/

      o Put a leash on JavaScript
      o Download, install and configure Microsoft’s EMET for Internet Explorer

      The only Windows client operating system, in its default state, that is immune to this zero-day exploit is Windows 8. [Note: Internet Explorer 9 does not default with either Vista or 7, one must upgrade from an earlier IE version.]

      P.S. Putting a leash on iFrames is also a good idea if one runs Firefox with NoScript, Opera or Chrome with NotScript(?) (see JimboC’s Symantec link for the iFrame role in this exploit).

      • Rabid Howler Monkey

        Oops! Running an alternate browser in and of itself protects one from this zero-day exploit. My point was that iFrames were a part of this exploit and are used for many misdeeds along with JavaScript.

  13. the burgular is most likely to simply kill the alarm panel with one swing from his wrecking bar

    you do have a wireless transmitter hidden, right ? cuz the burgular disconnected your phone lines and cut your tv cable before he broke the door …

    now: does that hidden wireless transmitter sense the fault on the alarm control panel ?

    i use the same service shown in this article and couldn’t get a straight answer from the installer

    • ps

      alarm circuits must operate “in the negative” : the absense of the green “OK signal trips the alarm

      dead men tell no tales and tead control units do not send out alarms

  14. It appears that the security update from Microsoft for this flaw will not be available next Tuesday, 8th January 2013. If this is correct all affected IE 6 to IE 8 users will need to continue using the Fix It solution.

    http://threatpost.com/en_us/blogs/patch-ie-zero-day-wont-be-among-microsoft-security-updates-next-week-010313

    Thank you.

  15. Quick update on this IE Zero day flaw. A patch may be needed sooner than anticipated since the Fix It Solution has now been bypassed. However Exodus Intelligence has stated they will not disclose how the bypass was performed until the patch is released. Here is a link to the full news article:

    http://threatpost.com/en_us/blogs/researchers-bypass-microsoft-fix-it-ie-zero-day-010413

    While this is bad news there is some good news too since the patch should be released sooner and may also be more comprehensive since the patch was to simply offer a permanent alternative to the Fix It solution, this may no longer be enough.

    I hope this helps. Thank you.

    • Rabid Howler Monkey

      Thanks for the update, JimboC. However, we all know that ordinary Windows users will not be applying Microsoft’s fixit to their systems.

      This is why I have harped so intensely above on Microsoft’s Enhanced Security Configuration (ESC) built into their Windows server operating systems. While the ESC default behavior is not user-friendly, the Internet Explorer menu item ‘File’ -> ‘Add this site to’, also built into ESC, allows a user to go to a URL and easily add the URL to the Trusted Zone. Here’s a link to this described behavior for Windows Server 2003:

      http://support.microsoft.com/kb/815141

      By not providing its Windows client operating system users with a user-friendly way to manage trusted sites with its Internet Explorer browser, Microsoft has put millions of its customers at risk. This goes all the way back to Windows XP, at least. This behavior is what NoScript provides Firefox users and NotScript provides Chrome users. Putting a leash on JavaScript (and ActiveX for Internet Explorer) is fundamental to security on the Internet. Create and manage your own whitelisted web sites!

      And we recently learned that this exploit was being served at least as far back as early December, 2012. A simple mechanism allowing users to manage trusted sites in Internet Explorer could have saved many from falling victim to these exploits.

      • Well – at least most of my clients have migrated to Vista or above, with IE9, so they aren’t at risk in this particular vulnerability at least.

        For those that still have XP I always install Spybot Search & Destroy, which, while it has no “trusted site” manipulation, it at least does use the Internet Options part of IE to block bad cookies and URLs. I think it can do most of this without a host file. I use SpywareBlaster for a minimum host file(and active X reg hacks) for that. This has kept all of them protected so far – along with other good security defenses.

        Winpatrol at least lets them know something is trying to manipulate a startup danger on the limited account, so they can mitigate the damage immediately. I think MBAM has made a major change recently, because Avast reports its behavior as a root kit. So it can now be counted as another good kernel layer defense(If you buy the pro version). The familiar red M is gone and a new blue icon has replaced it.

        I recommend MBAM even for my indigent clients, as the lifetime license is more than reasonable. It has a really good IP address blocker that even works in the outbound. I’ve stopped using Comodo or Online Armor firewalls now that these developments have occurred. They were getting too bloated for XP anyway.

        • I really wish Spybot would have its own stand alone immunization program, that’s about all I use it for still. Granted, it only blocks the known stuff, but better than nothing.

          • One of the good things about it, is that it uses IE settings to accomplish this. So no interference with other good blended defenses. This is what makes an effective defense, is the inclusion of several technologies and utilities. If malware gets past one, then some other defense will likely slap it down.

            Just blocking URLs can go a long way, because the criminals can only use so many domains for the usual attack. Adobe flash is the vector – flash for IE is active X if I’m not mistaken. Chances are that SpywareBlaster will have the registry hack to block the usual miscreants. I actually bother to buy the auto-update feature so I get the reg hacks as soon as they come out. I notice mine updates fairly regularly, but I’m a realist too. I’m sure some of these vectors will use zero day threats. That is where Winpatrol can at least alert to the manipulations. Threatfire was another good one in this venue but is now blended into some other Symantec product. I use Mamutu by Emisoft, but I can’t recommend it for folks on a budget. Emisoft will shut down Spybot’s resident(conflict), but it doesn’t affect the immunization.

            Adaware used to be one of the best – but I refuse to use suite products – I have always had better luck with stand alone utilities.

            • It’s always interesting to hear what people use in their lineup. Yeah Adaware died for me back in mid 2000s. I guess for my own lineup I just use ESET Smart Security and MBAM. ESET doesn’t rank up there with Kaspersky but I like it’s interface and it just feels a lot less bloaty. Their “Live Grid” seems alright too, but I’m pretty sure any major anti virus has something like it.

              Keeping up with the updates for everything though, that’s the hardest part, especially once you’re done with a machine and have to return it to someone. And then there’s the embarrassment I see every time I’m around computers in a work environment. Next time you find yourself in a hospital for example and they have “family computers” which you can do whatever with, where kids have even installed games: do a virus scan. See the last time something as basic as Windows Update was run. Laugh at the fact that, although they have an antivirus they probably pay huge amounts per machine it’s installed on, it’s not even been updated in a year. Is that sloppy work really what passes for getting paid as Tech Support? I’d do it for free and enjoy it rather than let people that actually have to use these machines daily suffer.

              • I like ESET – I just had so much trouble with their licensing that I quit using it personally. I still recommend it for folks who own SMBs or do online financial activity.

                I lot of the things I use are free or economical enough for my clients – I figure if they are taking the risk – I need to step up to the plate and take it with them. So far so good.