It’s been 14 days since Microsoft issued an advisory and temporary mitigation for a zero-day vulnerability in Internet Explorer, one being actively exploited in the wild and called by some experts as severe a browser bug as you can have.
Yet users have since had little more to shield them from these active attacks than a Fix It tool released by Microsoft on Sept. 17. In the meantime, exploits have already taken down a number of Japanese media sites in a watering hole attack targeting government agencies and manufacturers in Japan, and have been implicated in other attacks in Asia going back further than first thought. Microsoft has yet to issue an out-of-band patch for the bug, and with Patch Tuesday a week away, it’s increasingly likely users will continue to be exposed for at least another seven days.
That approach has worked to date because known attacks have been relatively targeted and on a small scale. Yesterday, however, things may have been accelerated with the release of a Metasploit exploit module for CVE-2013-3893. If you’re a believer in HD Moore’s Law, a theory proposed by Josh Corman of Akamai that mirrors Moore’s Law of computing in that casual attacker power grows at the rate of Metasploit, then one could expect an uptick in attacks using this IE bug.
Microsoft did not respond to a request for comment, but last week in response to the attacks against the Japanese media sites, Microsoft said it was continuing to work on developing and testing a security update and urged customers to install the Fix It.
Metasploit engineer Wei Chen wrote in a blogpost that while the exploit currently being seen in the wild targets IE 8 on Windows XP and IE 9 on Windows 7, the vulnerability is found in IE all the way back to IE 6 and the Metasploit module could be tweaked for a broader swath of targets.
According to Chen, the IE8 on XP version of the exploit targets only English, Chinese, Japanese and Korean users, unlike the Windows 7 targets.
“Instead, the exploit would try against any Windows 7 machines (IE8/IE9) as long as Office 2007 or Office 2010 is installed,” he said. “This is because the Microsoft Office Help Data Services Module (hxds.dll) can be loaded in IE, and is required to leverage Return-Oriented Programming in order to bypass DEP and ASLR, and gain arbitrary code execution.”
FireEye said infected computers connect to a command and control server in South Korea over port 443; the callback traffic is unencrypted, despite its use of port 443, FireEye said, adding that a second sample it collected also connected to the same South Korean IP address. FireEye said it also discovered a handful of malicious domains also pointing to the IP in South Korea, which allowed them to make the connection to an attack against security company Bit9 this year. The same email address that registered the South Korean server also registered a domain used in the attack on the security company.