Expect amped up pressure aimed in Microsoft’s direction for a patch for the Internet Explorer zero day that surfaced last week, now that researchers at Exodus Intelligence reported today they have developed a bypass for the Fix It that Microsoft released as a temporary mitigation.

Their new exploit beat a fully patched Windows system running IE 8, the same version of the browser exploited by malware used in watering hole attacks against a number of political and manufacturing websites, including the Council on Foreign Relations in the U.S., and Chinese human rights site Uygur Haber Ajanski.

IE 6 and 7 also hold the same use-after free memory vulnerability (CVE-2012-4792) but are currently not being exploited. Microsoft said the impact of the attacks is limited; IE 9 and 10 are not vulnerable, Microsoft said. Yesterday’s Patch Tuesday advisory previewing next Tuesday’s batch of security updates did not include an IE patch.IE

Brandon Edwards, VP of Intelligence at Exodus, said his firm’s researchers looked at the Fix It to determine how much of the vulnerability it prevented. “Usually, there are multiple paths one can take to trigger or exploit a vulnerability,” Edwards said. “The Fix It did not prevent all those paths.”

The Fix It, according to Microsoft, is an appcompat shim that modifies in memory a particular function to always return NULL, resulting in a safe crash of the browser rather than allowing for remote code execution.

“It comes down to clearly understanding the root cause and ways the browser can get to the affected code,” Edwards said. “The Fix It covered paths used by the exploit, but not all the ways the vulnerability can be reached. A full patch should eliminate all those possibilities.”

In the meantime, a handful of political, social and human rights sites in the U.S., Russia, China and Hong Kong have been infected and serving malware, for weeks in some cases, that exploits the IE zero day; as of yesterday, the Uygur website was still serving an exploit, researcher and Metaspoloit contributor Eric Romang said.

Microsoft has been informed of the Exodus Intelligence exploit; researchers at Exodus said they will not disclose details of their exploit until Microsoft addresses the vulnerability.

Earlier this week, Exodus developed what it called a more advanced exploit of the IE vulnerability, which led them to look more closely at the Fix It. Unlike the original remote code injection exploit, this one does not require a heap spray to execute it. Peter Vreugdenhil said they were able to take advantage of IE8’s support for HTML+TIME, which is no longer supported in more current versions of the browser. The researchers were able to create an array with pointers to strings they controlled, he said, enabling them to control system calls without a heap spray.

“I used some new and/or non-public techniques to get a reliable exploit that doesn’t require heap spray, but all in all this bug can be exploited quite reliably,” Vreugdenhil said in a blogpost.

Symantec, meanwhile, yesterday attributed the attacks to the Elderwood Project, which has been responsible for a number of Microsoft zero days in 2012, including an attack in May against Amnesty International’s Hong Kong site targeting CVE-2012-1875, and several defense-related sites discovered in September to be hosting malware targeting CVE-2012-4969. Symantec then tied the latest IE zero- day to the group after concluding that the Council of Foreign Relations and Capstone Turbine Corp. websites were hosting the same malicious Shockwave file.

“All the samples we identified include a function named HeapSpary. HeapSpary is a clear mistyping of Heap Spray, a common attack step used in vulnerability exploitation,” Symantec wrote in a blogpost. “In addition to this commonality, there are many other symbols in common between the files.”

Watering hole attacks are carried out to monitor the victim’s online activities. Attackers inject malicious files onto websites hoping to snare people with an interest in the site’s focus. These types of attacks are not only effective, but are more economical than targeted attacks that start with a phishing email. Watering hole attacks require less advance legwork, yet are generally state-sponsored, intelligence-driven attacks.

The compromise of the CFR website, a foreign-policy resource for its notable public figure members and directors, brought the latest zero-day to light. The attack began as early as Dec. 7 and was still going on through the Christmas holiday. Attackers used a malicious Adobe Flash file called today.swf to launch a heap spray attack against IE, overrunning memory and enabling an attacker to remotely execute code on an infected computer. The Javascript hosting the exploit checks first to see if the Windows language is set to English, Chinese, Japanese, Korean or Russian before executing. It also uses cookies to ensure the attack is delivered only once.

The vulnerability, Microsoft said, occurs in the way IE accesses an object in memory that has been deleted or not properly allocated. Memory may be corrupted and allow an attacker to execute code with the user’s privileges.

Researchers at Avast Software yesterday reported infections on multiple sites worldwide. Researcher Jindrich Kubec said two of the sites were also hosting the binaries and configurations found in the September attacks Symantec tied to Elderwood. Those attacks were serving the PlugX and Poison Ivy RATs.

Categories: Hacks, Malware, Vulnerabilities

Comments (5)

  1. Anonymous
    1

    Is it just my solitary observation that Microsoft is peddling some really poorly written code? How is it that hackers around the world, and arbetrary programers from various security firms are able to see the MS codes swiss cheese, hole infested product and create vulnerabilities or functional fixes left and right at will? MS seems to be a never ending font of vulnerability in their products that has been ongoing since version 3.0 (Post DOS).

    This all adds up to the appearance that Windows anything is seriously flawed at the lowest core level, and this paultry level of programing appears unchanged into the future!

    Some of us realized this from IE4 and bailed out back then. Mozilla browsers are miles ahead of MS in this field. Yet, MS continues to release substantially inferior browsers heaping with infections and vulnerabilities. W8 is in it’s infancy, barely released and is clinicaly in full leprosy… Not to mention the W8 disfuntionality [In my opinion]

    In my opinion, MS is producing software in a vacuum bottle with no consideration to what the market desires. This is MS, the software dictatorship trying to reshape a hostile consumer market. They appear to be headed towards the Google Android model of no tools to fight spam, no user accessability to the OS, and unlimited access to the user space for unlimited advertising and data mining. That’s the glory hole.

    I wish Kaspersky would shed more technical details as to the defects in the products they discover or report on.

    What do all the bad guys know that MS doesn’t?

    Answer: Nothing.

  2. Anonymous
    2

    I’ve received an mail from MS (SRD) on January 07 (CET) stating the following:
    “We saw the Exodus Intelligence blog post and have reached out to them but they haven’t shared their proof-of-concept yet that bypasses our Fix It. We are hoping to get it from them soon.”

    Strange, isn’t it?

  3. Anthony
    3

    Wow, superb blog layout! How long have you been blogging for?
    you make blogging look easy. The overall look of
    your web site is magnificent, let alone the content!

  4. ipokedots.com
    4

    That is very interesting, You’re an excessively professional blogger. I’ve
    joined your feed and look ahead to in the hunt
    for extra of your fantastic post. Also, I’ve shared your web site in my social networks

  5. Anonymous
    5

    twitter.com/jness/status/288681705227829248

     

    Looks like they sent the information over to Microsoft shortly after their blog post… as they said they were going to.

Comments are closed.