Microsoft Responds to IE Zero Day Used in CFR Watering Hole Attack

UPDATE – Microsoft responded this weekend with temporary mitigations and workarounds for a zero-day vulnerability in Internet Explorer exploited in an attack on the Council on Foreign Relations website.

UPDATE – Microsoft responded this weekend with temporary mitigations and workarounds for a zero-day vulnerability in Internet Explorer exploited in an attack on the Council on Foreign Relations website.

IE 6, 7 and 8 are vulnerable to exploits that would enable a remote attacker to execute code on a computer running the flawed browser. IE 9 and 10, the latest versions of the browser, are not vulnerable, Microsoft said.

Dustin Childs, group manager Trustworthy Computing, said in an email to Threatpost that Microsoft has issued a Fix-It and is working on a Security Update for the vulnerability. It is unknown whether Microsoft will issue an out-of-band patch, or wait until Jan. 8 when its next batch of scheduled security updates is due.

News broke on Friday of the vulnerabilities after a nearly month-long watering hole attack against the CFR website. The foreign-policy resource site includes many notable public figures among its members and directors. Researchers dubbed it a watering hole attack, where a website frequented by topically connected subjects is infected with malware hoping to snare those site visitors in drive-by attacks. The attackers in past watering hole attacks such as Aurora and VOHO are thought to be state-sponsored and are ultimately after some kind of business, government or military intelligence.

“We are only aware of a very small number of targeted attacks at this time,” Microsoft said in Security Advisory 2794220, released Saturday.” This issue allows remote code execution if users browse to a malicious website with an affected browser. This would typically occur by an attacker convincing someone to click a link in an email or instant message.”

Among its workarounds and mitigations, Microsoft recommends setting Internet and local intranet security zone settings to high, which will block ActiveX controls and Active Scripting in these zones; users should add trusted sites to IE’s Trusted Sites zone because this mitigation will impact the usability of some websites. Microsoft also recommends administrators configure IE to prompt users before running Active Scripting, or disable it altogether.

IE on Windows Server 2003, 2008 and 2008 R2 runs by default in a restricted mode, which mitigates the vulnerability, Microsoft said. The same goes for Outlook, Outlook Express and Windows Mail when opening HTML email messages in the restricted sites zone.

The vulnerability, Microsoft said, occurs in the way IE access an object in memory that has been deleted or not properly allocated. Memory may be corrupted and allow an attacker to execute code with the user’s privileges.

Jonathan Ness and Cristian Craioveanu, software security engineers with Microsoft, point out that exploits against these types of vulnerabilities generally bypass Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) protections in place in the Windows operating system. Four exploits used in four targeted attacks analyzed by Microsoft displayed similar characteristics, including the use of obfuscated Javascript to trigger the vulnerability and the use of a Flash file to generate a heap spray attack and overrun the buffer.

Users of these older browsers are also encouraged to update IE; in the meantime a Fix-It is expected shortly.

The CFR attack, experts said, is an attempt to get at some of the government and political figures who frequent the site; some members and directors include former secretaries of state Madeleine K. Albright and Colin L. Powell, former treasury secretary Robert Rubin, and former ambassador Carla A. Hills.

FireEye researcher Darien Kindlund did an early analysis of the exploit and learned that the JavaScript hosting the exploit triggers only against browsers set to English, Chinese (China and Taiwan), Japanese, Korean and Russian. The exploit also uses cookies to deliver the attack once per user; it also tracks when the infected page was last visited via cookies, Kindlund said.

Researcher Eric Romang told Threatpost that the CFR website had been hosting malware as early as Dec. 7, according to a Google cache, and researchers at FireEye said it was still hosting malware on Dec. 26, the day after Christmas.

A large watering hole attacks was carried out in June and July against government and financial websites in Maryland and Massachusetts, as well as against websites promoting democracy in oppressed regions of the world, RSA’s FirstWatch research team reported. The Gh0st RAT remote access Trojan was used in those attacks to carry out surveillance against victims. Gh0st RAT not only steals data from computers, but can turn on embedded webcams and microphones, and has been tied to numerous state-sponsored attacks.

This article was updated to include a link to the Microsoft Fix-It.

Suggested articles