New zero-day bug in IE 10 exploited in active malware attack, MS warns

[CyberAbc 290]

 

 

 

Microsoft has confirmed reports of a recently active attack that surreptitiously installed malware on computers running a fully patched version 10 of the Internet Explorer browser. The attacks also work on IE 9, the company warned

The zero-day exploit was served on vfw[.]org, the official website for the Veterans of Foreign Wars, according to a blog post published Thursday afternoon by security firm FireEye. The people behind the attack compromised the VFW website and then embedded an iframe tag that silently loaded a page on another site that hosted the exploit. While FireEye researchers didn't identify the second site, Aviv Raff, chief technology officer of Israel-based security firm Seculert, said it was aliststatus[.]com. He provided the screenshot above, which he said showed the exploit in action.

The FireEye researchers wrote:

After compromising the VFW website, the attackers added an iframe into the beginning of the website’s HTML code that loads the attacker’s page in the background. The attacker’s HTML/JavaScript page runs a Flash object, which orchestrates the remainder of the exploit. The exploit includes calling back to the IE 10 vulnerability trigger, which is embedded in the JavaScript. Specifically, visitors to the VFW website were silently redirected through an iframe to the exploit at www.[REDACTED].com/Data/img/img.html.

The attackers, who appear to be the same ones behind at least two other recent zero-day attacks, were able to exploit the underlying "use after free" bug in a way that modified memory at a specified address. That allowed them to bypass address space layout randomization (ASLR), a technique for minimizing the damage exploits can have by randomizing the memory locations where objects are loaded. By preventing attackers from knowing where in memory their malicious code will reside, ASLR greatly reduces the chances an exploit will succeed. The attackers behind this most recent exploit were able to modify arbitrary memory addresses, allowing them to bypass the ASLR protection.

FireEye said techniques used in the exploit and resulting malware contained similarities to two other recent zero-day campaigns, including one called Operation Deputy Dog and another dubbed Operation Ephemeral Hydra. FireEye has branded this latest attack Operation SnowMan.

"Microsoft is aware of limited, targeted attacks against Internet Explorer 9 and 10," a spokeswoman wrote in an e-mail send Thursday night. "As our investigation continues, we recommend customers upgrade to Internet Explorer 11 for added protection.

The Thursday afternoon post fleshes out a bare-bones advisory FireEye published earlier in the day.

For the time being, people should avoid using IE 10 whenever possible, at least until more information becomes available. In general, people who must use IE for compatibility reasons should already use IE version 11, since it has security protections not available in earlier releases. People should also strongly consider switching to another browser altogether. Google Chrome has long received high marks for security, as has Mozilla Firefox.