Microsoft will patch a lingering zero-day vulnerability in Internet Explorer next Tuesday, one of five bulletins it will release as part of its March 2014 Patch Tuesday security updates.
The IE 10 zero-day was disclosed close to a month ago when researchers at FireEye reported on Operation SnowMan, an espionage campaign that compromised the U.S. Veterans of Foreign Wars website. The attackers, experts said, were targeting the computers of active military personnel who visit the site seeking benefits information.
FireEye said a Flash exploit was used via an iFrame to trigger the use-after-free vulnerability in the browser. Compromised computers were hit with a remote access Trojan that stole data; experts speculate the attackers were hoping to gain steal military secrets from the active service members who use the site as a resource.
It was soon discovered that a second and unrelated group of attackers was also exploiting the IE 10 zero day, this time to impersonate a number of French aerospace companies, redirecting legitimate traffic to the hacker-controlled domains.
Researchers at Seculert said malware that changes host files on infected machines in order to add in these malicious domains had previously been the domain of pharming attacks used for fraud.
“This is the first time we have seen a malware change a host file for a purpose other than fraud perpetuated by pharming or for disabling access to specific websites,” Seculert CTO Aviv Raff said.
Microsoft had shipped a Fix-It mitigation for the zero-day as a stopgap until a patch was ready. Microsoft said IE 9 also contains the same vulnerability, but it was not being exploited. IE 11 users running the Enhanced Mitigation Experience Toolkit (EMET) were also protected against these attacks.
The IE update is one of two critical bulletins expected next week. The other is also a remote code execution vulnerability in Windows.
All five bulletins announced by Microsoft today affect versions of Windows or IE all the way back to Windows XP, which Microsoft will no longer support with security updates as of April 8.
“Windows XP is affected by all five updates and there is really no reason to expect this picture to change: Windows XP will continue to be impacted by the majority of vulnerabilities found in the WIndows ecosystem, but you will not be able to address the issues anymore,” said Qualys CTO Wolfgang Kandek. “You need a strategy for the XP machines remaining in your infrastructure. We are still seeing significant number of XP machines in our scans.”
The remaining three bulletins were rated “important” by Microsoft and include elevation of privilege vulnerability and security feature bypass issues in Windows and another security feature bypass issue in Silverlight.
“Of the remaining issues, one is an important privilege issue, probably going to be a kernel or kernel driver patch; never something to ignore but less important than a critical/remote issue,” said Ross Barrett, senior manager of security engineering at Rapid 7. “The other two are the seldom seen ‘security mechanism bypasses’, probably the same issue being patched in Windows and in Silverlight. We will have to wait and see how exploitable this turns out to be. If it turns out that some of these issues are in the wild and under exploitation, then that will be change the circumstances of what to prioritize.”
Silverlight, meanwhile, has relatively limited adoption and given Microsoft’s support of Flash in IE 11, it’s not out of the question it will be discontinued eventually, said Tyler Reguly, manager of security research at Tripwire.
“In a world filled with so many web technologies, vendors could better serve the public by simply limiting choice and removing dead weight,” Reguly said.