Microsoft announced this afternoon that the zero-day vulnerability being exploited in a watering hole attack against an unnamed U.S.-based NGO website was already scheduled to be patched in a cumulative Internet Explorer update tomorrow.
The zero-day was reported publicly on Friday by FireEye researchers and today a few more dots were connected on the attack, which is dropping a variant of the McRAT Trojan that has been used in a number of targeted espionage attacks targeting industrial secrets.
Microsoft promised a relatively light Patch Tuesday tomorrow that included another IE rollup, a staple of the company’s monthly security updates in 2013. Dustin Childs, a group manager in the Microsoft Trustworthy Computing group, said today that the vulnerability in an IE ActiveX Control will be patched in MS13-90 tomorrow.
In its advanced notification released last Thursday, Microsoft said the IE bulletin is rated critical because it involves flaws that can lead to remote code execution. The critical rating applies to IE 6-8 on Windows XP, IE7-9 on Vista, IE 8-10 on Windows 7, and IE 10 on Windows 8 and 8.1; all other versions are rated important.
FireEye, today told Threatpost, that the attack is limited to a single U.S.-based website hosting domestic and international policy guidance. No details were available on how the site was compromised, only that the victims were hit by malware in drive-by download attacks targeting an information leakage vulnerability and a memory corruption issue leading to remote code execution.
What differentiates this attack from other watering hole attacks is that victims are not subject to malicious iframes or traffic-redirects to attacker-controlled sites and further malware downloads. Instead, McRAT is injected directly into memory, a new twist on advanced targeted attacks.
“By using memory-only methods, the attack is exceptionally difficult for network defenders to detect, when trying to examine and confirm which endpoints are infected, using traditional disk-based forensics methods,” said Darien Kindlund, FireEye director of threat intelligence.
Microsoft said a number of mitigations are available to IE users as a mitigation until a patch is applied, namely setting security zone settings to “High” to block ActiveX Controls and Active Scripting, though users could experience some usability issues. IE can also be configured to prompt a user before running Active Scripting. The Enhanced Mitigation Experience Toolkit (EMET) is also a viable mitigation, Microsoft said.
The IE patch is one of eight bulletins scheduled for tomorrow, three of those rated critical. The scheduled security updates, however, will not include a patch for the Windows TIFF zero day being actively exploited in attacks primarily in Pakistan. The vulnerability in several Windows and Office versions is being exploited in targeted attacks against Windows XP systems running Office 2007. Microsoft released a Fix-It tool as a stopgap measure until a patch is released out of band or with the December security updates.