Researchers Bypass Microsoft Fix It for IE Zero Day

Expect amped up pressure aimed in Microsoft’s direction for a patch for the Internet Explorer zero day that surfaced last week, now that researchers at Exodus Intelligence reported today they have developed a bypass for the Fix It that Microsoft released as a temporary mitigation.

Expect amped up pressure aimed in Microsoft’s direction for a patch for the Internet Explorer zero day that surfaced last week, now that researchers at Exodus Intelligence reported today they have developed a bypass for the Fix It that Microsoft released as a temporary mitigation.

Their new exploit beat a fully patched Windows system running IE 8, the same version of the browser exploited by malware used in watering hole attacks against a number of political and manufacturing websites, including the Council on Foreign Relations in the U.S., and Chinese human rights site Uygur Haber Ajanski.

IE 6 and 7 also hold the same use-after free memory vulnerability (CVE-2012-4792) but are currently not being exploited. Microsoft said the impact of the attacks is limited; IE 9 and 10 are not vulnerable, Microsoft said. Yesterday’s Patch Tuesday advisory previewing next Tuesday’s batch of security updates did not include an IE patch.IE

Brandon Edwards, VP of Intelligence at Exodus, said his firm’s researchers looked at the Fix It to determine how much of the vulnerability it prevented. “Usually, there are multiple paths one can take to trigger or exploit a vulnerability,” Edwards said. “The Fix It did not prevent all those paths.”

The Fix It, according to Microsoft, is an appcompat shim that modifies in memory a particular function to always return NULL, resulting in a safe crash of the browser rather than allowing for remote code execution.

“It comes down to clearly understanding the root cause and ways the browser can get to the affected code,” Edwards said. “The Fix It covered paths used by the exploit, but not all the ways the vulnerability can be reached. A full patch should eliminate all those possibilities.”

In the meantime, a handful of political, social and human rights sites in the U.S., Russia, China and Hong Kong have been infected and serving malware, for weeks in some cases, that exploits the IE zero day; as of yesterday, the Uygur website was still serving an exploit, researcher and Metaspoloit contributor Eric Romang said.

Microsoft has been informed of the Exodus Intelligence exploit; researchers at Exodus said they will not disclose details of their exploit until Microsoft addresses the vulnerability.

Earlier this week, Exodus developed what it called a more advanced exploit of the IE vulnerability, which led them to look more closely at the Fix It. Unlike the original remote code injection exploit, this one does not require a heap spray to execute it. Peter Vreugdenhil said they were able to take advantage of IE8’s support for HTML+TIME, which is no longer supported in more current versions of the browser. The researchers were able to create an array with pointers to strings they controlled, he said, enabling them to control system calls without a heap spray.

“I used some new and/or non-public techniques to get a reliable exploit that doesn’t require heap spray, but all in all this bug can be exploited quite reliably,” Vreugdenhil said in a blogpost.

Symantec, meanwhile, yesterday attributed the attacks to the Elderwood Project, which has been responsible for a number of Microsoft zero days in 2012, including an attack in May against Amnesty International’s Hong Kong site targeting CVE-2012-1875, and several defense-related sites discovered in September to be hosting malware targeting CVE-2012-4969. Symantec then tied the latest IE zero- day to the group after concluding that the Council of Foreign Relations and Capstone Turbine Corp. websites were hosting the same malicious Shockwave file.

“All the samples we identified include a function named HeapSpary. HeapSpary is a clear mistyping of Heap Spray, a common attack step used in vulnerability exploitation,” Symantec wrote in a blogpost. “In addition to this commonality, there are many other symbols in common between the files.”

Watering hole attacks are carried out to monitor the victim’s online activities. Attackers inject malicious files onto websites hoping to snare people with an interest in the site’s focus. These types of attacks are not only effective, but are more economical than targeted attacks that start with a phishing email. Watering hole attacks require less advance legwork, yet are generally state-sponsored, intelligence-driven attacks.

The compromise of the CFR website, a foreign-policy resource for its notable public figure members and directors, brought the latest zero-day to light. The attack began as early as Dec. 7 and was still going on through the Christmas holiday. Attackers used a malicious Adobe Flash file called today.swf to launch a heap spray attack against IE, overrunning memory and enabling an attacker to remotely execute code on an infected computer. The Javascript hosting the exploit checks first to see if the Windows language is set to English, Chinese, Japanese, Korean or Russian before executing. It also uses cookies to ensure the attack is delivered only once.

The vulnerability, Microsoft said, occurs in the way IE accesses an object in memory that has been deleted or not properly allocated. Memory may be corrupted and allow an attacker to execute code with the user’s privileges.

Researchers at Avast Software yesterday reported infections on multiple sites worldwide. Researcher Jindrich Kubec said two of the sites were also hosting the binaries and configurations found in the September attacks Symantec tied to Elderwood. Those attacks were serving the PlugX and Poison Ivy RATs.

Suggested articles