Microsoft has patched an Internet Explorer bug that has come under attack and dominated news headlines in recent days.
The security vulnerability impacts users running IE versions 6 through 11, and had been spotted by security researchers being used in targeted attacks. The vulnerability is due to IE improperly accessing an object in memory and corrupting memory in a way that allows an attacker to execute arbitrary code in the context of the user.
News of a fix came on the same day that researchers at FireEye revealed an effort to exploit the bug against users of IE 8 and Windows XP. This discovery means that there are now live attacks on the bug that target anyone running IE 8 through 11 on Windows XP, 7 and 8.
According to FireEye, multiple threat actors are using the exploit in attacks and have expanded the industries being targeted. In addition to previously observed attacks against the defense and financial sectors, the government and energy sectors are under attack now as well.
“The main differences between this new attack targeting Windows XP compared to the original Windows 7/8.1 versions of this attack are the mitigation bypasses,” the FireEye researchers explained in a blog post. “The Windows 7/8.1 version develops its write primitive into read/write access to much of the process space by corrupting Flash vector objects. This is to bypass ASLR by searching for ROP gadgets and building a ROP chain dynamically in memory.”
“Without ASLR, ROP gadgets can be constructed beforehand with static addresses,” the researchers continued. “Consequently, Flash assistance in the Windows XP version is much simpler. It builds a ROP chain with static addresses to gadgets in MSVCRT, tweaks addresses for a plethora of language packs, and jumps directly to a pivot without developing a write primitive. From there, the ROP chain calls VirtualAlloc to allocate executable memory, copies the shellcode to the allocated chunk, and executes the shellcode. This new tactic of specifically targeting those running Windows XP means the risk factors of this vulnerability are now even higher.”
Trey Ford, global security strategist at Rapid7, noted that the presence of an out-of-band patch by Microsoft demonstrates the seriousness of the situation.
“To interrupt a scheduled development cycle for an emergency patch, or ‘out of band’ release, is a noteworthy event where a vendor is placing the public good ahead of their development and delivery lifecycle,” he said. “One thing particularly of interest is that Microsoft made the decision to issue this patch for Windows XP, which is no longer officially supported. I think this underscores the importance of this patch, and the priority with which it should be deployed. Corporate and private users should prioritize downloading… and deploying this patch.”
Dustin Childs, group manager of response communications for Microsoft Trustworthy Computing, blogged that while Microsoft decided to release an update for XP users as well in this case, those users should still upgrade as the operating system is no longer supported.