Old IE Attack Finds its Way into Cool Exploit Kit

Microsoft reports that a 15-month-old Internet Explorer exploit has been included into the Cool Exploit Kit. The bug was first exploited at the 2012 Pwn2Own contest.

You cannot accuse the keepers of the Cool Exploit Kit of not recognizing market trends. Given a rash of recent watering hole attacks and zero-day exploits built around Microsoft’s Internet Explorer browser, it’s no surprise that a 15-month-old IE exploit has been included in the crimeware package.

Microsoft reported last night the inclusion of CVE-2012-1876 in Cool, a vulnerability in IE that was patched last June in MS12-037.

This is a remote code execution heap-based buffer overflow flaw that impacts IE 6-9. Researchers from VUPEN demonstrated a successful exploit during the 2012 Pwn2Own contest that was able to bypass ASLR and DEP data execution protections built into Window. VUPEN’s exploit beat a fully patched version of IE 9 running on a Windows 7 machine.

“This can be achieved by leaking an address of the mshtml.dll module, building a heap spray based on this address and triggering the vulnerability again to execute the payload,” VUPEN said in a blogpost last July, adding that its researchers combined this exploit with another zero-day in order to bypass IE’s Protected mode.

“After triggering the vulnerability for a memory leak to disclose interesting addresses, it is possible to trigger the same vulnerability once again to achieve code execution by overflowing the same buffer in memory with arbitrary values,” VUPEN said.

Microsoft’s Justin Kim said Cool is the only kit to carry the IE exploit.

“For a while it seemed exploit kit writers were not too interested in this vulnerability,” Kim said.

The IE exploit is not the only new addition to Cool. Microsoft said Adobe Reader and Flash exploits have also been added (CVE-2012-0755 and CVE-2013-0634, respectively). The IE attack, however, opens the spectrum of potential victims because of a return-oriented programming technique that allows it to identify the DLL a process is running on, and match a malicious payload to the corresponding DLL.

“The exploit includes not only one but 18 different attack payloads, giving attackers the ability to leverage 18 different versions ofmshtml.dll. In the past, there was only one payload per exploit targeting one specific version of the module, usually XP system files or several other 3rd-party files that are without address space layout randomization (ASLR) protection enabled,” Kim said. “With this enhancement in exploit stability, the exploit is capable of exploiting a larger population of victims, including those using Windows Vista and Windows 7.”

The Cool Exploit Kit was first detected in October in a spate of attacks involving the Reveton ransomware. The discovery of Cool happened after French researcher Kafeine discovered an exploit for a Windows vulnerability first exploited by Duqu. The same exploit ended up in the Blackhole Exploit Kit, leading experts to conclude the same group was running both.

As for the Adobe-related additions to Cool, the most severe seems to be CVE-2013-0634 for Flash, which was patched by Adobe in February. The exploit injects websites with malicious .SWF files targeting Firefox and Safari users. This is the same LadyBoyle attack used against targets in the aerospace industry signed with digital certificates stolen from Asian gaming companies as outline in the Winnti research done by Kaspersky Lab. Tibetan activists were also targets of these attacks as well.

Suggested articles