Attackers are exploiting a recently disclosed zero-day vulnerability in Internet Explorer in campaigns targeting Windows XP users, FireEye researchers have found. While the vulnerability was patched by Microsoft in an Out-of-Band release on Thursday, security researchers have discovered a series of attacks targeting various industries.
As reported earlier by SecurityWeek, Microsoft disclosed the vulnerability (CVE-2014-1776), which affected IE 6 through IE 11 and all versions of the Windows operating system, from Windows XP to Windows 8.1. The flaw, which could result in remote code execution just by a user browsing to a compromised Website, were already being exploited in the wild, in an ongoing campaign FireEye Research Labs dubbed as "Operation Clandestine Fox." The attacks used maliciously crafted Flash files to target IE9 through IE11 on Windows 7 and 8, FireEye said on Saturday. That no longer appears to be the case, as FireEye researchers revealed new attacks exploiting the same flaw against Windows XP users running IE8.
FireEye coordinated the revelation with Microsoft's surprising decision on Thursday to release an out-of-band patch for all supported versions of Windows as well as Windows XP, despite the fact that support for the old operating system ended April 8. Since Windows XP doesn't have security mitigations such as address space layout randomization and data execution prevention, attackers had to craft the XP exploit differently from the one used against Windows 7 and 8 in earlier attacks, FireEye said. In fact, it was much easier to bypass mitigations in XP.
"This new tactic of specifically targeting those running Windows XP means the risk factors of this vulnerability are now even higher," FireEye's Dan Caselden and Xiaobo Chen wrote Thursday.
Even though Adrienne Hall, general manager of Microsoft's Trustworthy Computing group, said on the Microsoft blog that concerns over the vulnerability were "overblown" and there were "a very small number of attacks based on this particular vulnerability," it's clear that Microsoft was still concerned over the prospect of future attacks against XP.
Exploit writers frequently reverse-engineering a patch to figure out how the vulnerability works, and then write new attacks targeting the flaw, making the prospect of additional attacks against other versions of IE more likely. "This will snowball," said Aviv Raff, the chief technology officer of Seculert. This particular attack targeted the VML Library, which is no longer widely used by developers, but is still linked to all versions of IE for backwards compatibility. While attackers used maliciously crafted Flash files to target IE 9, IE10, and IE11, exploits for older versions of IE wouldn't need Flash, Raff noted.
"We have also observed that multiple new threat actors are now using the exploit in attacks and have expanded the industries they are targeting," FireEye's Caselden and Chen wrote. Originally, the attacks were against the defense and financial sectors, but now organizations in the government and energy sectors are also being targeted, they said.
Organizations should prioritize installing the new update as soon as possible. If that isn't possible, Microsoft's threat advisory for CVE-2014-1776 had some recommendations, such as disabling VGX.DLL, the core library for IE's Vector Markup Language capability as a defense against the exploit. Symantec has released a script, which unregisters the library so that the exploit cannot run at all. Organizations should implement Enhanced Protected Mode in IE so that the browser can't install software or modify system settings. Microsoft also recommended that organizations install Enhanced Mitigation Experience Toolkit, a utility that can help protect systems from common threats.