This week’s watering hole attack exploiting a zero-day vulnerability in Internet Explorer was not limited to the influential Council on Foreign Relations site. A Metasploit contributor said an energy manufacturer’s website has been serving malware related to the attack since September.

Researcher Eric Romang said that Capstone Turbine Corp., which builds power generation equipment for utilities, has been infected with malware exploiting CVE 2012-4969 for four months and the latest IE exploit since Dec. 18.

Meanwhile, a Metasploit module has been added to the exploit platform, which could rapidly increase the public availability of exploits.

Microsoft said it is still working on a security update for the browser vulnerability; as a temporary solution, it released a Fix-It on Monday night.

Watering hole attacks use drive-bys to target visitors of particular websites; attackers infect the sites with malware that gives the attacker access to the victim’s computer to install more malware or monitor their activities. Watering hole attacks have been used in previous APT-style attacks against Google, large manufacturers and technology companies.

Capstone figures to be a valuable target, Romang said, given its position in the energy community as a producer of microturbine energy products. He found the same malicious html file on the Capstone site as was found residing on the CFR site.

IE 6, 7 and 8 contain the zero-day, a use-after free vulnerability according to AlienVault researcher Jaime Blasco.

“The exploit is able to exploit both Windows XP and Windows 7 bypassing both data execution (DEP) and address space layout randomization (ASLR) protections,” Blasco wrote in a blogpost. DEP and ASLR were implemented in Windows to mitigate memory-based exploits.

The CFR website has been compromised since early December, Romang said. Attackers used a malicious Adobe Flash file called today.swf to launch a heap spray attack against IE, overrunning memory and enabling an attacker to remotely execute code on an infected computer. The Javascript hosting the exploit checks first to see if the Windows language is set to either English, Chinese, Japanese, Korean or Russian before executing. It also uses cookies to ensure the attack is delivered only once.

The Council on Foreign Relations is a foreign-policy resource; notable public figures are among its directors and membership. Those government and public officials are the likely targets of the espionage campaign.

Microsoft insists the impact of the attack is limited since IE 9 and 10 are not vulnerable to the same exploit. Yet it recommends users deploy the Fix It or update their browsers to the latest version. Microsoft’s Jonathan Ness and Cristian Craioveneau wrote in a blogpost that the MSHTML appcompat shim modifies the vulnerable function to return NULL.

“Because the function returns NULL, there is no freed object access the exploit fails to work. This shim may have the side effect in some circumstances of the default form button not being selected by default,” they wrote. “The shim targets specific mshtml.dll versions so it will deprecate itself when the official update is installed through Windows Update. However, we recommend uninstalling it after it is no longer needed, due to a minor performance impact at application startup.”

The vulnerability, Microsoft said, occurs in the way IE access an object in memory that has been deleted or not properly allocated. Memory may be corrupted and allow an attacker to execute code with the user’s privileges.

Categories: Critical Infrastructure, Hacks, Malware, Vulnerabilities

Comments (4)

  1. EricDorlock

    Since there’s a Metasploit module for it already then the bad guys have to be very close to developing their own exploits for the zero day. Zero days are becoming the norm it seems now and for security people like myself I am worried. Always something new.

  2. Jindrich Kubec - Avast

    There are at least 4 sites right now still spreading this:

    1x HK newspaper

    1x RU science site

    2x CN human rights sites

    The first sample of malware spread by the exploit was detected by Avast on 9th December.

Comments are closed.