Microsoft issued a fix-it tool to help users address a security vulnerability targeted in attacks against Internet Explorer 10.
The issue, which also affects Internet Explorer 9, can be exploited to remotely execute code if a user visits a malicious or compromised site. So far, the bug has been spotted being used in attacks against visitors to the Veterans of Foreign Wars website as well as attacks targeting people interested in GIFAS, the French aerospace industries association.
According to Microsoft, the vulnerability exists in the way IE accesses an object in memory that has either been deleted or not properly allocated. The vulnerability can corrupt memory in a way that allows an attacker to execute arbitrary code, Microsoft explained in an advisory.
Neil Sikka of Microsoft Security Response Center Engineering blogged that the exploit uses JavaScript to trigger the use-after-free condition and then uses Flash to convert a write primitive into a read/write primitive that enables Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) to be bypassed.
“The primitive conversion happens by redirecting a write based on a freed object’s data (which has now been reallocated by the attacker) to corrupt a size field inside a Flash object,” Sikka blogged. “The corrupted size field in the Flash object is used to read and write outside of the object’s boundary, allowing discovery of module addresses in Internet Explorer’s Address Space. We are not aware of any elevation of privilege or sandbox escape vulnerability being used to “break out” of the Internet Explorer Protected Mode sandbox. Therefore, even after the exploit gains code execution, it still needs a non-trivial element to result in a persistent compromise of the computer.”
The one-click Fix It tool addresses the known attack vectors. According to researchers at Seculert, there are at least two different groups using the exploits in attacks, with one being behind the attacks on the VFW site and the other related to GIFAS. This is contrary to earlier reports connecting the two campaigns.
“Our analysis reveals that a totally different malware than ZXShell, the culprit as identified by FireEye, was used and has the following capabilities: backdoor (Remote Access Tool), downloader, and information stealer,” blogged Seculert CTO Aviv Raff. “The malware drops 2 files: MediaCenter.exe – a copy of itself, and MicrosoftSecurityLogin.ocx, which is registered as an ActiveX – used by malware to steal information from browsing sessions. Once installed the malware communicates with a criminal command and control server (C&C). Seculert’s investigation has concluded that the C&C is hosted on the same server as the exploit, located in the United States. Moreover, typical red flags would remain unraised as the malware itself has a valid digital certificate. The certificate belongs to MICRO DIGITAL INC. and is valid since March 21, 2012.”
According to Raff, the command and control server of the attack on the aerospace engineer manufacturer is located on the same US-based server as the IE exploit, while the other attack uses a different command and control server.
In addition to the Fix It tool, Microsoft also urged users to upgrade to IE 11, which is not vulnerable to the attacks. The company did not offer a timeline as to when a patch would be available.
“We continue to work on a security update to address this issue,” blogged Dustin Childs, group manager of response communications for Microsoft Trustworthy Computing. “We are monitoring the threat landscape very closely and will continue to take appropriate action to help protect our global customers.”
