"Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11," states a security advisory for CVE-2014-1776 that Microsoft released late on Saturday.
FireEye Research Labs identified this new zero-day that is actively being exploited in an ongoing campaign dubbed "Operation Clandestine Fox." The zero-day is "significant" since the vulnerable versions of Internet Explorer "represent about a quarter of the total browser market." More specifically, FireEye said the "vulnerability affects IE 6 through IE 11, but the attack is targeting IE 9 through IE 11. This zero-day bypasses both ASLR and DEP."
The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
FireEye said, "The APT group responsible for this exploit has been the first group to have access to a select number of browser-based 0-day exploits (e.g. IE, Firefox, and Flash) in the past. They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure."
Although the researchers' investigation is still ongoing, they explained some exploitation details, as the "exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows' ASLR and DEP protections."
During a BSides presentation in February, a Bromium Labs' security researcher bypassed "all of the protections" in Microsoft's free Enhanced Mitigation Experience Toolkit (EMET) 4.1. Shortly thereafter, Microsoft released a tech preview of EMET version 5. However, FireEye researchers are recommending EMET as mitigation for the current zero-day exploiting IE.
Using EMET may break the exploit in your environment and prevent it from successfully controlling your computer. EMET versions 4.1 and 5.0 break (and/or detect) the exploit in our tests. Enhanced Protected Mode in IE breaks the exploit in our tests. EPM was introduced in IE10. Additionally, the attack will not work without Adobe Flash. Disabling the Flash plugin within IE will prevent the exploit from functioning.
Microsoft is currently investigating and working on a fix, but here we venture into a zero-day being exploited in the wild after security patches for XP have come to an end. However, XP was stuck on IE 8, which is vulnerable but not currently being targeted for "Operation Clandestine Fox."
Like this? Here's more posts:
- Twice as many desktops still running Windows XP than Windows 8, 8.1 combined
- IP address does not identify a person, judge tells copyright troll in BitTorrent case
- Forget physical access: Remote USB attacks can blue screen Windows servers
- When student recorded bullies with iPad, school claimed it was felony wiretapping
- Data breach report: 9 attack patterns describe 92% of 100,000 security incidents
- Record and rewind: Cops quietly test aerial surveillance to track crime
- Fake police warning leads to murder-suicide: Deaths due to ransomware?
- Windows 8.1. Update required for future Windows 8.1, Server 2012 R2 security patches
- How to change Windows 8.1 to local account with no Microsoft email account required
- Would you be on Project Insight kill list from 'Captain America: The Winter Soldier'?
- Research: Attacks on HTML5-based apps infect smartphones, spread like a 'worm'
- USA world rankings: #1 for sending spam, #8 for Netflix streaming speeds
Follow me on Twitter @PrivacyFanatic