Internet Explorer users, exposed to a zero-day vulnerability in the browser and a faulty temporary Fix It from Microsoft, finally got some relief today when the company, as promised, released an out-of-band patch.
Meanwhile, a handful of new telco, manufacturing and human rights sites have been infected and have been serving exploits since the public release of the zero-day, a researcher told Threatpost.
The IE security update repairs previously unreported flaws in IE 6-8 exploited in watering hole attacks against government and manufacturing websites worldwide.
Exploits were active against IE 8 only, but previous versions also contained the same use-after free vulnerability. Sites visited by high-value targets were compromised and serving exploits via drive-by download attacks. An attacker would then gain the same privileges as a user and be able to execute code remotely on a vulnerable computer.
The vulnerability was reported shortly after Christmas Day when it was discovered that the Council on Foreign Relations website had been compromised and serving malware for close to a month. Soon thereafter, Capstone Turbine Co., a power equipment manufacturer for utilities, was also serving malware as were political, social and human rights websites in Russia, China and Hong Kong.
Researcher Eric Romang said that since, he has seen more sites hosting exploits including an Australian telco provider, a US service provider and a US importer of used Japanese auto parts.
“After the public release of the zero day, two different variants of the zero day have been found exploited in targeted attacks against human rights activists, a Japanese tourism agency and a Taiwan petrochemical company,” Romang said.
CVE-2012-4792 is a memory corruption issue in IE that occurs when the browser accesses an object in memory that has not been initialized or has been deleted, it may corrupt memory and the attacker would have control of the machine.
The CFR attack cast the first attention on the zero day, which Romang said began as early as Dec. 7. Symantec has linked these attacks to the Elderwood group, the same group said to be behind the 2009 Aurora attacks on Google. Attackers planted a malicious Adobe Flash file on the CFR site which kicked off a heap spray attack against IE, exploiting the vulnerability. The Javascript would check the Windows language first, and if sent to English, Chinese, Japanese, Korean, or Russia, would execute. It also checked cookies in order to deliver the attack only once.
Microsoft was quick to offer temporary workarounds and mitigations, including a Fix It. The stop-gap was short-lived, however, as security company Exodus Intelligence reported Jan. 4 it had bypassed the Fix It. Exodus VP of Intelligence Brandon Edwards told Threatpost did cover paths used by the known exploits, but not all the ways the vulnerability could be reached.
A source said Microsoft was able to take the details provided by Exodus and confirm the Fix It could be bypassed; Exodus did not provide full source code for its proof of concept to Microsoft, it only does so for its customers.
Past watering hole attacks have been linked to nation states, including China. They are intelligence-driven and target sites frequented by influential people—the real targets of the attacks. Attackers inject malicious files onto websites hoping to snare people with an interest in the site’s focus. These types of attacks are not only effective, but are more economical than targeted attacks that start with a phishing email.
Microsoft continues to call the impact of the attacks limited. IE 8 installations, meanwhile, account for the majority of enterprise market share, followed by IE 7 and 6. IE 9 and 10 are not vulnerable, Microsoft said.
In the meantime, users are urged to apply the IE patch immediately.
“Please note that this update is a real patch and not a cumulative update as we are used to for typical Internet Explorer updates,” said Wolfgang Kandek, CTO at Qualys. “It is highly recommended to have MS12-077, the last cumulative Internet Explorer update, installed before applying MS13-008.”