Security Experts:

Nasty IE Zero-Day Used in Attacks Against Defense, Financial Sectors: FireEye

Researchers from FireEye have discovered a nasty zero-day exploit that bypasses the ASLR and DEP protections in Microsoft Windows and is being used in targeted attacks.

The security flaw is a remote code execution vulnerability (CVE-2014-1776) that affects versions of IE6 through IE11, which in total accounted for 26.25% of the browser market in 2013. 

The campaign is currently targeting US-based firms tied to the defense and financial sectors, a FireEye spokesperson told SecurityWeek, and is specifically targeting IE9 through IE11. 

Zero Day Attack

“The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections,” FireEye wrote in a blog post Saturday. 

FireEye also told SecurityWeek that spearphishing emails were used in the attacks, and that all referenced "fake reports" being sent to the victims.

Microsoft also issued a security advisory on Saturday and said they were working with partners in its Microsoft Active Protections Program (MAPP) to extend broader protections to customers as soon as possible.

If successfully exploited, an attacker could gain the same user rights on the impacted system as the current user, Microsoft said. Accounts configured with fewer rights on the could be less impacted than users who operate with administrative privilages.

FireEye has named the campaign “Operation Clandestine Fox,” but has shared very little details other than saying the group behind the exploit has been the first to have access to a select number of browser-based 0-days in the past.

FireEye warned that the attackers are “extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure.”

“They have a number of backdoors including one known as Pirpi that we previously discussed here,” the researchers wrote. “CVE-2010-3962, then a 0-day exploit in Internet Explorer 6, 7, and 8 dropped the Pirpi payload discussed in this previous case.” 

“The SWF file calls back to Javascript in IE to trigger the IE bug and overwrite the length field of a Flash vector object in the heapspray,” FireEye explained. “The SWF file loops through the heapspray to find the corrupted vector object, and uses it to again modify the length of another vector object. This other corrupted vector object is then used for subsequent memory accesses, which it then uses to bypass ASLR and DEP.”

Because the attack leverages Adobe Flash, users who do not have Flash installed or have the Flash plugin for IE disabled, will be protected. Additionally, several versions of Microsoft's Enhanced Mitigation Experience Toolkit (EMET) will break the exploit, though Microsoft specifically said EMET 3.0 does not mitigate the issue.

"While this zero-day threat is not widespread yet and is only being used in targeted attacks, we can be confident that the developers of exploit kits are sharpening their pencils and that it won’t be long before the exploit is widespread," Roger Thompson, chief emerging threats researcher at ICSA Labs, told SecurityWeek.

"Users must apply all available patches to their operating systems as soon as they are available to mitigate any possible damage from this threat," Thompson added. "For users on Windows XP, which is no longer supported and will no longer have security patches available: upgrade to Windows 7 or higher as soon as possible. The XP-ocalypse has started. There will soon be a new name for Windows XP users, and that name will be “victim.”

Additional technical details are available from FireEye. Microsoft also has provided some mitigation information. 

Related: ASLR Bypass Techniques Appearing More Frequently in Attacks

*Updated with additional commentary