Microsoft Subnet An independent Microsoft community View more

IE zero-day attacks to ramp up: Metasploit releases module

Metasploit released a module for the IE zero-day vulnerability that has been exploited in the wild for the last three months, since at least July 1.

Both security professionals and cybercriminals use Metasploit, a penetration testing toolkit maintained by Rapid7, so when a Metasploit module is released, you should expect attacks against unpatched vulnerabilities to kick into a higher gear. Yesterday, Metasploit released a module for the latest IE zero day vulnerability being exploited in the wild.

Microsoft's security advisory dated September 17 listed IE 6, 7, 8, 9, 10 and 11 as affected software, but the Fix-it issued two weeks ago claimed, "The exploit we analyzed worked only on Windows XP or Windows 7 running Internet Explorer 8 or 9." However, this IE zero-day has been exploited since as far back as three months ago, on July 1, according to Websense Security Labs. "These C&C communications predate the widely-reported first use of this attack infrastructure by more than six weeks, and indicates that the attacks from this threat actor are not just limited to Japan."

Security firm FireEye previously determined that this IE zero-day was being exploited "as early as August 19, 2013" against government entities, media organizations and manufacturers in Japan. It dubbed the APT campaign as 'Operation DeputyDog' and linked it to the same group of Chinese hackers who hit Bit9 earlier this year. AlienVault, another security firm, reported identifying "a version of the exploit hosted on a subdomain of Taiwan's Government e-Procurement System."

Yesterday, FireEye reported that "at least three other Advanced Persistent Threat (APT) campaigns known as Web2Crew, Taidoor, and th3bug have made use of the same exploit to deliver their own payloads to their own targets. It is not uncommon for APT groups to hand off exploits to others, who are lower on the zero-day food chain - especially after the exploit becomes publicly available."

Attacks exploiting this newest unpatched IE zero-day have been increasing. Last week, the Internet Storm Center raised its threat level from green to yellow due "to increased evidence of exploits in the wild regarding Microsoft Security Advisory 2887505."

Since the exploit is not a secret, and the "bug has been going on for awhile," Rapid7 said "there's no point to hide it." When releasing the Metasploit module yesterday, Rapid7 stated, "if you build it, nerds will come." Although "the vulnerability affects Internet Explorer from 6 all the way to 11," the "exploit in the wild primarily targets Internet Explorer 8 on Windows XP, and Internet Explorer 8 and 9 on Windows 7."

With that being "a little confusing," Rapid7's Wei Chen added:

For IE8 with XP, the exploit fingerprints regions such as English, Chinese (including Taiwan, Hong Kong, China, Singapore), French, German, Japanese, Portuguese, Korean, and Russian. However, it is only tweaked for English, Chinese, Japanese, and Korean, which makes sense because XP is still pretty popular in Asian countries. This also just means a portion of the fingerprinting code seems junk, and appears to be reused since at least 2012, as this malicious MS12-037 code indicates. Perhaps these exploits are from the same exploit pack with the same library, I don't know for sure.

Windows 7 targets don't seem to have this language restriction. Instead, the exploit would try against any Windows 7 machines (IE8/IE9) as long as Office 2007 or Office 2010 is installed.  This is because the Microsoft Office Help Data Services Module (hxds.dll) can be loaded in IE, and is required to leverage Return-Oriented Programming in order to bypass DEP and ASLR, and gain arbitrary code execution. The fingerprinting code for Office is also reused.

Hopefully the above clarifies about who the targets are. However, I should also remind everyone again that the vulnerability affects IE 6/7/8/9/10/11. So at any moment this exploit can be improved to target more users around the world, if not already.

As of yesterday, the CVE-2013-3893 exploit Metasploit module "can be only tested on Internet Explorer 9 on Windows 7 SP1 with either Office 2007 or Office 2010 installed."

Although Microsoft will probably close this hole on the upcoming Patch Tuesday, on October 8, some security experts have speculated that if attacks "ramp up" enough then Microsoft may issue an out-out-band update.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.