Attackers are actively exploiting a previously unknown vulnerability in all supported versions of Internet Explorer that allows them to surreptitiously hijack vulnerable computers, Microsoft warned Sunday.
The zero-day code-execution hole in IE versions 6 through 11 represents a significant threat to the Internet security because there is currently no fix for the underlying bug, which affects an estimated 26 percent of the total browser market. It’s also the first severe vulnerability to target affect Windows XP users since Microsoft withdrew support for that aging OS earlier this month. Users who have the option of using an alternate browser should avoid all use of IE for the time being. Those who remain dependent on the Microsoft browser should immediately install EMET, Microsoft’s freely available toolkit that greatly extends the security of Windows systems.
The vulnerability is formally indexed as CVE-2014-1776. Microsoft has blog posts here, here, and here that lay out bare bones details uncovered at this early stage in its investigation. Although there is no exploited vulnerability in Adobe Flash, disabling the browser add-on will also neutralize attacks, analysts at security firm FireEye Research Labs wrote in a separate blog post published Sunday. Disabling vector markup language support in IE also mitigates attacks.
A known gang of malicious hackers is already exploiting the previously unknown use-after-free vulnerability in targeted attacks, FireEye researchers said. The in-the-wild attacks the researchers observed target IE versions 9, 10, and 11 and work when victims visit booby-trapped websites. To bypass address space layout randomization and data execution prevention—which are security mitigations Microsoft designed to make it harder for hackers to remotely execute malicious code—the attacks abuse the presence of the vector markup language and Adobe Flash. The group carrying out the attacks is known to be behind other “advanced persistent threats,” which use an arsenal of zero-day attacks to penetrate specific corporations and governments to siphon proprietary data and sensitive information.
“The APT group responsible for this exploit has been the first group to have access to a select number of browser-based 0-day exploits (e.g. IE, Firefox, and Flash) in the past,” the FireEye analysts wrote. “They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure. They have a number of backdoors including one known as Pirpi that we previously discussed here. CVE-2010-3692, then a 0-day exploit in Internet Explorer 6, 7, and 8, dropped the Pirpi payload discussed in this previous case.”
FireEye is withholding further details of the attack campaign, presumably to prevent copycat attacks or protect the targeted parties.
While the current attacks are limited to extremely targeted individuals or organizations, it’s not uncommon for vulnerabilities to become much more widely exploited in the hours or days following widespread disclosure. End users should exercise caution, at least until Microsoft and other third-party researchers have time to conduct a more thorough investigation. As already stated, the best defense for now is to avoid all use of IE whenever possible. Barring that, IE users should ensure EMET 4.1 or 5.0 is installed and that all mitigations are enabled and that VML and Flash are disabled