Home Business IT Security Another Internet Explorer zero-day vulnerability exploited in targeted attack

A number of organisations around the world have been targeted by an attack using a previously unknown vulnerability in Internet Explorer.

The latest security advisory concerning Internet Explorer involves an exploit that has only been seen one one website so far. According to Symantec, that was a legitimate site that had been infiltrated by the attackers and used to host their malicious content.

Symantec's Vikram Thakur said the attack took the form of an email purportedly about hotel bookings that was sent to "a select group of individuals within targeted organisations" containing a link to the page containing the exploit.

The exploit silently installed malware that created a backdoor on the victim computer and accessed a server in Poland to download small, encrypted files containing commands.

"Looking at the flow of commands, it is obvious to us that someone is entering these commands manually from a remote computer," said Thakur.

While the attackers specifically targeted Internet Explorer 6 and 7, but Microsoft has determined that the underlying problem is also present in IE 8 though mitigated by DEP (data execution prevention). DEP is enabled by default for IE 8, and can be enabled on earlier versions by using Microsoft's free Enhanced Mitigation Experience Toolkit (EMET).

How did the exploit work? See page 2.

"Internet Explorer 9 Beta users are not affected by this issue and any customers who wish to upgrade their browser to this version can do so freely at www.microsoft.com/ie," said a Microsoft spokesperson. However, few organisations are comfortable running beta software on production systems.

It appears that the targeted organisations (and Thakur said there "more than a few") generally weren't using IE 6 or 7, or they had already implemented mitigations such as DEP. Analysis of the log files from the compromised server showed that "very few" visitors had accessed the payload file. "We are not aware of any affected customers," said Jerry Bryant, group manager, response communications at Microsoft's trustworthy computing group.

The vulnerability itself involves CSS handling. It turns out that when faced with a certain combination of CSS tags, IE allocates insufficient memory to store them, potentially allowing the partial overwriting of a pointer. This situation is potentially exploitable using a heap spray attack.

According to the Microsoft Security Response Center engineering team, DEP blocks this type of attack, and attempts to circumvent it will be "highly unreliable (i.e. causing IE to crash)," particularly on systems supporting ASLR (address space layout randomisation).

Further protection against the vulnerability can be gained by applying a custom CSS. Instructions can be found in the advisory (see 'Workarounds').

Microsoft is developing a security update to dix the vulnerability, and it will apparently be released on a subsequent Patch Tuesday: "The issue does not meet the criteria for an out-of-band release," said Bryant.



Did you know: Key business communication services may not work on the NBN?

Would your office survive without a phone, fax or email?

Avoid disruption and despair for your business.

Learn the NBN tricks and traps with your FREE 10-page NBN Business Survival Guide

The NBN Business Survival Guide answers your key questions:

· When can I get NBN?
· Will my business phones work?
· Will fax & EFTPOS be affected?
· How much will NBN cost?
· When should I start preparing?


Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.






Join the iTWire Community and be part of the latest news, invites to exclusive events, whitepapers and educational materials and oppertunities.
Why do I want to receive this daily update?
  • The latest features from iTWire
  • Free whitepaper downloads
  • Industry opportunities