Microsoft Warns Of Dangerous Zero Day Attack Against Internet Explorer
Microsoft Warns Of Dangerous Attack Against Internet Explorer Users
By Robert Westervelt on April 28, 2014, 10:34 am EDT
An organized cybercriminal group is conducting a new targeted attack campaign against users of Internet Explorer, narrowing in on U.S. organizations with strong ties to the defense and financial industries, according to FireEye security researchers.
The new Internet Explorer zero-day attack, made public Sunday, has prompted Microsoft to issue a security advisory, in which it is warning users that the attacks are targeting every supported version of its browser. The cybercriminals are using a malicious link to get users to visit an attack website with the aim of gaining complete control of the victim's PC, Microsoft said. The Redmond, Wash., software giant did not rule out an emergency, out-of-cycle security update to address the issue.
"An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website," Microsoft said in the advisory. "On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs."
With Microsoft's ending of support for Windows XP, users likely will remain vulnerable indefinitely, said J.J. Thompson, managing director and CEO of Rook Security, a security solution provider and risk management consultancy. Organizations could enable stricter policies in Internet Explorer, use the Microsoft Enhanced Mitigation Experience Toolkit for maximum coverage and disable Flash as a last resort, he said.
"Protecting end users from this attack may prove difficult, especially so for those that happen to still be using Windows XP," Thompson said.
FireEye researchers, meanwhile, said the attack will not work without the Adobe Flash plugin installed on the victim's PC. The Internet Explorer zero-day exploit bypasses Microsoft's built-in security mechanisms designed to thwart malicious code from executing in memory, the company said. In its advisory issued Sunday, FireEye researchers said it knows the threat actors but declined to give details about the operators behind what it is calling the Operation Clandestine Fox campaign.
"We believe this is a significant zero-day as the vulnerable versions represent about a quarter of the total browser market," FireEye said. "Disabling the Flash plugin within IE will prevent the exploit from functioning."
The attack also prompted an advisory from the U.S. Computer Emergency Readiness Team, which said an attack without the use of Flash may be possible.
FireEye said it observed an attack website loading a malicious Flash file to exploit the browser vulnerability. It corrupts Flash content to gain access to the browser's allocated system memory and then bypasses Address Space Layout Randomization and Data Execution Prevention, two embedded security mechanisms designed to deter attackers from carrying out such attacks.
The FireEye researchers, Xiaobo Chen, Dan Caselden and Mike Scott, said the cybercriminal organization has been tracked since it was first identified in 2010. The attackers specializes in using custom browser-based zero-day exploits against Internet Explorer, Firefox and Flash in previous campaigns, the researchers said. The attack patterns have been difficult to trace and their command-and-control methods easily bypass intrusion detection systems. Once they gain access, typically within seconds, they establish a foothold on the victim's machine, implement a back door for remote access and then move laterally on the victim's corporate network, according to FireEye.
Solution providers said the attack is a serious threat to organizations with employees who rely on Internet Explorer as their core browser. Administrators have done a better job disabling or firewalling unnecessary software on servers, but attackers have moved to the desktop where Flash and Java are top targets, they said.
"We have many customers that have systems that will not work on any other browser so this is going to be an issue for them, and hopefully Microsoft will come out with a fix quickly," Aquino said. "Most of the options to fix or mitigate this will take more time than it would to get a fix in place."
Many organizations have switched to Google Chrome as their standard browser, but some are still tied to Internet Explorer to enable custom applications to properly function, said Rick Doten, chief information security officer at Digital Management, a Bethesda, Md.-based mobility solution provider. Being able to understand and prioritize external threat intelligence is essential in having an appropriate response to new threats, Doten said.
"Someone on top of this would have identified it through information-sharing among peers or from reading the notice, and could apply the block and track quickly, hopefully before one of their users has been compromised," Doten said. "The goal is to respond before it impacts the business -- not the goal of 'don’t get infected.' When you measure it that way, you shouldn’t be scared when a zero-day happens."
Preventing drive-by attacks will require IT to rethink how they deploy software and workstations, said Chris Camejo, director of consulting and professional services at NTT Com Security. IT should be creating workstations and servers with as little software as possible, only adding software based on each use case, he said.
"A core security concept is that any unnecessary software should be removed or disabled whenever possible to reduce the attack surface," Camejo said.
PUBLISHED APRIL 28, 2014