Critical zero-day hole in Internet Explorer – Update
While analysing a compromised web page, security experts from FireEye discovered malware that exploits a previously unknown security hole in Internet Explorer. The hole allows attackers to inject malicious code into the Internet Explorer user’s system when a specially crafted web page is visited. All versions up to and including IE version 8 are vulnerable; currently available information suggests that later versions are not affected.
The researchers from FireEye report that the attackers first used a Flash applet to deploy shell code in RAM by means of heap spraying, and that they then managed to execute the code via the zero-day hole in IE. The hole involves a use-after-free issue with CDwnBindInfo
within IE. The security hole the researchers found was exploited to inject a DLL into the system but they have yet to comment on the library’s purpose.
The report states that the incident involves a “watering hole” attack: During such targeted cyber attacks, the attackers compromise web pages that are visited by their intended victims and deploy malicious code this way. The experts found the exploit on the web page of the Council on Foreign Relations (http://www.cfr.org/), a US think tank that includes around 4,500 influential political and business personalities. The attackers used a few lines of JavaScript code to ensure that the exploit is only executed if the visitor’s system language is set to US English, Chinese, Japanese, Korean or Russian.
Talking to security blogger Brian Krebs, Microsoft confirmed the vulnerability and said that only versions 6 to 8 of Internet Explorer are affected. Since that confirmation, a metaploit module has been published and US CERT has released a vulnerability note on the issue. With details of the problem in circulation, it will be very likely that attackers will have added or be adding the exploit into their arsenal of malware; users should look at moving to IE9 or later where they can.
Update: Microsoft has also published its own official advisory and instructions on how to mitigate attacks and detect failing attacks on IE9 and IE10.