IE 0-day exploit actively used in attacks against US-based firms

Late on Saturday, Microsoft has published a security advisory warning about “limited, targeted attacks” exploiting a newly discovered zero day vulnerability that affects all supported versions of Internet Explorer (6 to 11).

“This issue allows remote code execution if users visit a malicious website with an affected browser. This would typically occur by an attacker convincing someone to click a link in an email or instant message,” shared in a blog post Dustin Childs, Group Manager, Microsoft Trustworthy Computing.

The exploitation of the vulnerability in the wild has been first spotted by researchers from security company FireEye who have, for the time being, declined sharing many details about the ongoing campaign, which they have named “Operation Clandestine Fox.”

It is known that the attacks are perpetrated by a sophisticated group of hackers, and that the attacks are seemingly directed against US-based defense and financial firms, and the attackers are intent on gathering information.

The attackers are currently targeting only IE versions 9 through 11. “The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections,” the researchers explained.

“The APT group responsible for this exploit has been the first group to have access to a select number of browser-based 0-day exploits (e.g. IE, Firefox, and Flash) in the past. They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure. They have a number of backdoors including one known as Pirpi,” they added.

Microsoft is yet to issue a patch, a security update or a Fix it tool for closing the hole, but there are a few things users can do mitigate the possibility of being successfully targeted until a fix is released:

  • Install and use MS’ Enhanced Mitigation Experience Toolkit (EMET) versions 4.1 and 5.0, which can break or detect the exploit.
  • Switch to Enhanced Protected Mode in IE10 and IE11, or disable the Flash plugin within IE
  • Switch to using another browser for the time being.

Also, users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

More technical details about the exploitation sequence can be found on FireEye’s blog.

This vulnerability (CVE-2014-1776) is also the first one that will not ultimately be fixed for Windows XP users, as Microsoft ended support for the operating system on April 8th, 2014. Those users can use EMET 4.1 or higher to mitigate the danger, use another browser, or finally switch to a newer, more secure Windows version.

Don't miss