Skip Links

Microsoft issues quick fix for critical zero-day hole in IE

Microsoft scrambled to issue a quick fix for a critical zero-day hole in Internet Explorer 6, 7 and 8 after highly targeted cyber espionage attacks were delivered via drive-by downloads.

By Ms. Smith on Wed, 01/02/13 - 11:48am.

There seems to have been no rest for Microsoft over the 2012 holidays as it issued a quick fix for a zero-day IE vulnerability that attackers were actively exploiting via drive-by download attacks. It may have felt like a flashback for the company as it also rushed to issue an emergency out-of-band update to deal with vulnerabilities in late December 2011.

Zero day targets Microsoft Internet Explorer usersAfter security vendor FireEye reported on the zero-day, Microsoft confirmed the vulnerability to Brain Krebs. Chinese hackers were suspected of planting malware for cyber-espionage on the Council on Foreign Relations (CFR) server and pushing out the drive-by attack via the vulnerability in IE, reported the Washington Free Beacon. Drive-by downloads are especially dangerous as victims can have their computer hijacked just by visiting an infected website. The "attackers limited their targeting to CFR members and website visitors who used browsers configured for Chinese language characters - an indication the attackers were looking for people and intelligence related to China." The FBI is reportedly investigating.

So at first, on Dec. 29, Microsoft issued a security advisory which said the company was "aware of targeted attacks that attempt to exploit this vulnerability through Internet Explorer 8." Also on that day, US-CERT posted a vulnerability note. On Dec 30, a Metasploit module to exploit the vulnerability was published. Microsoft updated the advisory on Dec. 31 to acknowledge that the zero-day vulnerability affected Internet Explorer 6, IE 7, and IE 8. The newest versions of the IE browser, 9 and 10, are not affected, so Microsoft advises anyone using the older IE browser versions to update.

Symantec called this a "watering hole" attack in which victims were first profiled to determine what websites they visit; the chosen site is injected with malware and, like lions waiting at a watering hole, attackers wait for the visitors to be infected at the compromised site. The attackers used malware dubbed Bifrose as a "backdoor" to steal files from infected computers.

Microsoft's social networking site So.cl was vulnerable to clickjackingThat wasn't the only headache for Microsoft. The company waited nearly five months to fix a clickjacking vulnerability in its social media website SoCl (So.cl), according to Softpedia.

Clickjacking techniques involve an invisible object that chases your mouse around the page, waiting for you to click on something, anything, while you are there. Attackers can use clickjacking to covertly turn on your computer's camera and microphone, but many people are unaware of that, as was highlighted in the study that found 1 in 2 Americans are 'clueless' about webcam hacking. It can also be used to easily deanonymize you, explained by Jeremiah Grossman, founder of WhiteHat Security, as "I know who you are after 1 click online."

Security researcher Nikhil Kulkarni provided a proof-of-concept that demonstrated the clickjacking vulnerability to EHacking News. The So.cl page appears to load in the background while the "click below to win your prize money" is on a "top layer." If a user clicked the button, it would post a message on the victim's wall.

Kulkarni told Softpedia that So.cl users could easily be victims and be fooled into clicking on links they "may find interesting such as free gifts or 'click to win million dollar' reward scams. The users think that they are clicking visible buttons, while they are actually performing actions on the hidden page. The hidden page may be an authentic page; therefore, the attackers can trick the victims into performing actions which the victim never wanted to perform."

Although Kulkarni notified Microsoft of this flaw in August, Microsoft said the clickjacking attack "was not a security issue." The company stuck with the "not a security issue" answer despite the 4-5 proof-of-concepts the researcher sent to them. "They have only recently realized that this really was a flaw that should be addressed."

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic