Home Business IT Security Another Internet Explorer zero-day vulnerability exploited in targeted attack

A number of organisations around the world have been targeted by an attack using a previously unknown vulnerability in Internet Explorer.


The latest security advisory concerning Internet Explorer involves an exploit that has only been seen one one website so far. According to Symantec, that was a legitimate site that had been infiltrated by the attackers and used to host their malicious content.

Symantec's Vikram Thakur said the attack took the form of an email purportedly about hotel bookings that was sent to "a select group of individuals within targeted organisations" containing a link to the page containing the exploit.

The exploit silently installed malware that created a backdoor on the victim computer and accessed a server in Poland to download small, encrypted files containing commands.

"Looking at the flow of commands, it is obvious to us that someone is entering these commands manually from a remote computer," said Thakur.

While the attackers specifically targeted Internet Explorer 6 and 7, but Microsoft has determined that the underlying problem is also present in IE 8 though mitigated by DEP (data execution prevention). DEP is enabled by default for IE 8, and can be enabled on earlier versions by using Microsoft's free Enhanced Mitigation Experience Toolkit (EMET).

How did the exploit work? See page 2.




"Internet Explorer 9 Beta users are not affected by this issue and any customers who wish to upgrade their browser to this version can do so freely at www.microsoft.com/ie," said a Microsoft spokesperson. However, few organisations are comfortable running beta software on production systems.

It appears that the targeted organisations (and Thakur said there "more than a few") generally weren't using IE 6 or 7, or they had already implemented mitigations such as DEP. Analysis of the log files from the compromised server showed that "very few" visitors had accessed the payload file. "We are not aware of any affected customers," said Jerry Bryant, group manager, response communications at Microsoft's trustworthy computing group.

The vulnerability itself involves CSS handling. It turns out that when faced with a certain combination of CSS tags, IE allocates insufficient memory to store them, potentially allowing the partial overwriting of a pointer. This situation is potentially exploitable using a heap spray attack.

According to the Microsoft Security Response Center engineering team, DEP blocks this type of attack, and attempts to circumvent it will be "highly unreliable (i.e. causing IE to crash)," particularly on systems supporting ASLR (address space layout randomisation).

Further protection against the vulnerability can be gained by applying a custom CSS. Instructions can be found in the advisory (see 'Workarounds').

Microsoft is developing a security update to dix the vulnerability, and it will apparently be released on a subsequent Patch Tuesday: "The issue does not meet the criteria for an out-of-band release," said Bryant.

 

HOW TO OFFER 4G TO YOUR CUSTOMERS

Download an information pack to learn more about how you can offer competitive 4G plans to your customers.

> everything you need to operate your own 4G telco

> support for you and your customers

> billing, back-end and full compliance.

DOWNLOAD NOW!

HOW TOP MANAGERS MOTIVATE, ENERGISE EMPLOYEES

Download an in-depth guide to managing a healthy, motivated and energetic workforce without breaking the bank.

DOWNLOAD NOW!

Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences, a PhD in Industrial and Business Studies, and is a senior member of the Australian Computer Society.

 

 

 

 

Connect

Join the iTWire Community and be part of the latest news, invites to exclusive events, whitepapers and educational materials and oppertunities.
Why do I want to receive this daily update?
  • The latest features from iTWire
  • Free whitepaper downloads
  • Industry opportunities