IE zero-day used in targeted watering hole attacks
Posted on 02 January 2013.
Bookmark and Share
News that an Internet Explorer zero-day vulnerability was being and has been for quite some time been used in a new "watering hole" attack has livened the otherwise uneventful last week of 2012.


The exploited website was that of the Council on Foreign Relations, an organization, publisher, and think tank specializing in U.S. foreign policy and international affairs, among whose members are a number of high-profile U.S. government and political figures such as former secretary of state Madeleine Albright, former treasury secretary Robert Rubin, and many others.

According to security researcher Eric Romang, the website seems to have been compromised as early as December 7, and possibly even earlier.

FireEye's researchers have been alerted to the compromise on December 27 and proceeded to analyze the attack and discover its use of a previously unknown Microsoft Internet Explorer vulnerability.

Visitors to the website who used IE 6,7, or 8, had Flash and Java 6 installed, and had the OS language set on U.S. English, Chinese, Taiwan Chinese, Russian, Korean or Japanese were unknowingly redirected to a page serving a malicious Shockwave Flash File (today.swf) that would trigger the vulnerability. Others were redirected to a blank page.

"When the Flash object was loaded, it performed a heap-spray and injected the shellcode used to locate the xsainfo.jpg file, decode it, and store it in the %Temp%/flowertep.jpg file, Symantec's researchers explained. "Next, a request was sent for the robots.txt file which gets de-obfuscated and then used to load the malicious payload (flowertep.jpg) using techniques to by-pass DEP and ASLR on Windows 7."

All this was performed to ultimately allow a secret download of a variant of the Bifrose backdoor, which would give the attackers access to the targeted machines, which largely belong to U.S. users.

Upon the discovery of the attack, Microsoft began working on a patch. They issued a security advisory warning the public about this zero-day 'CDwnBindInfo' use-after-free remote code execution vulnerability.

The flaw affects only IE versions 6, 7 and 8, so users are advised to update to IE 9 or 10 in order to avoid being compromised, or to install Microsoft's "Fix it" solution that reduces the attack surface of the flaw by applying workaround configuration changes.

"Applying this workaround will not interfere with the installation of the final security update that will address this issue," stated Microsoft's Cristian Craioveanu, but advised on uninstalling the workaround once the final security update is installed because it has a small effect on the startup time of Internet Explorer. There's no word yet on when we can expect the security update.

In the meantime, Sophos researchers have also begun analyzing the attack and are claiming that the same exploit was spotted being used on at least five additional websites.







Spotlight

Nine patterns make up 92 percent of security incidents

Posted on 23 April 2014.  |  Researchers have found that 92 percent of the 100,000 security incidents analyzed over the past ten years can be traced to nine basic attack patterns that vary from industry to industry.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Apr 24th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //