Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Attackers Fire at Windows XP Users With Recently Discovered IE Zero-Day

Attackers are exploiting a recently disclosed zero-day vulnerability in Internet Explorer in campaigns  targeting Windows XP users, FireEye researchers have found.

Attackers are exploiting a recently disclosed zero-day vulnerability in Internet Explorer in campaigns  targeting Windows XP users, FireEye researchers have found. While the vulnerability was patched by Microsoft in an Out-of-Band release on Thursday, security researchers have discovered a series of attacks targeting various industries.

As reported earlier by SecurityWeek, Microsoft disclosed the vulnerability (CVE-2014-1776), which affected IE 6 through IE 11 and all versions of the Windows operating system, from Windows XP to Windows 8.1. The flaw, which could result in remote code execution just by a user browsing to a compromised Website, were already being exploited in the wild, in an ongoing campaign FireEye Research Labs dubbed as “Operation Clandestine Fox.” The attacks used maliciously crafted Flash files to target IE9 through IE11 on Windows 7 and 8, FireEye said on Saturday. That no longer appears to be the case, as FireEye researchers revealed new attacks exploiting the same flaw against Windows XP users running IE8.

FireEye coordinated the revelation with Microsoft’s surprising decision on Thursday to release an out-of-band patch for all supported versions of Windows as well as Windows XP, despite the fact that support for the old operating system ended April 8. Since Windows XP doesn’t have security mitigations such as address space layout randomization and data execution prevention, attackers had to craft the XP exploit differently from the one used against Windows 7 and 8 in earlier attacks, FireEye said. In fact, it was much easier to bypass mitigations in XP.

“This new tactic of specifically targeting those running Windows XP means the risk factors of this vulnerability are now even higher,” FireEye’s Dan Caselden and Xiaobo Chen wrote Thursday.

Even though Adrienne Hall, general manager of Microsoft’s Trustworthy Computing group, said on the Microsoft blog that concerns over the vulnerability were “overblown” and there were “a very small number of attacks based on this particular vulnerability,” it’s clear that Microsoft was still concerned over the prospect of future attacks against XP.

Exploit writers frequently reverse-engineering a patch to figure out how the vulnerability works, and then write new attacks targeting the flaw, making the prospect of additional attacks against other versions of IE more likely. “This will snowball,” said Aviv Raff, the chief technology officer of Seculert. This particular attack targeted the VML Library, which is no longer widely used by developers, but is still linked to all versions of IE for backwards compatibility. While attackers used maliciously crafted Flash files to target IE 9, IE10, and IE11, exploits for older versions of IE wouldn’t need Flash, Raff noted.

“We have also observed that multiple new threat actors are now using the exploit in attacks and have expanded the industries they are targeting,” FireEye’s Caselden and Chen wrote. Originally, the attacks were against the defense and financial sectors, but now organizations in the government and energy sectors are also being targeted, they said.

Organizations should prioritize installing the new update as soon as possible. If that isn’t possible, Microsoft’s threat advisory for CVE-2014-1776 had some recommendations, such as disabling VGX.DLL, the core library for IE’s Vector Markup Language capability as a defense against the exploit. Symantec has released a script, which unregisters the library so that the exploit cannot run at all. Organizations should implement Enhanced Protected Mode in IE so that the browser can’t install software or modify system settings. Microsoft also recommended that organizations install Enhanced Mitigation Experience Toolkit, a utility that can help protect systems from common threats.

Advertisement. Scroll to continue reading.
Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.