Microsoft confirms zero-day vulnerability exploiting IE8

The watering hole attack that exploited a zero-day in IE8, disabled antivirus, and was aimed at U.S. Department of Labor nuclear researchers was also found on nine other websites targeting aerospace, defense and security markets.

After reports of a zero-day vulnerability exploiting IE8 for watering hole attacks, Microsoft confirmed the flaw and released Security Advisory 2847140. Microsoft Security Response Center wrote, "Internet Explorer 6, 7, 9 and 10 are not affected by the vulnerability. This issue allows remote code execution if users browse to a malicious website with an affected browser. This would typically occur by an attacker convincing someone to click a link in an email or instant message."

That, links in email or IM, wasn't the scenario when the U.S. Department of Labor website served up malicious code that was capable of disabling some antivirus products. It is believed to be highly targeted and aimed at Department of Energy (DOE) employees who worked with nukes.

The Institute of Medicine explained that Congress ordered compensation for DOE workers and contractors who suffered from diseases related to nuclear radioactive and nonradioactive toxic substances. To determine compensation, the Department of Labor setup a Site Exposure Matrix database, "which was designed to organize, display, and communicate information on the toxic substances found at those sites and possible health effects associated with exposure to those substances."

Security firm Invincea first reported the "Dept of Labor website was compromised to re-direct visitors to a website that in turn executed a drive-by download exploit of IE8 in order to install the Poison Ivy backdoor Trojan." Anup Ghosh, Invincea's founder and a former DARPA program manager told Nextgov, "We can infer the target of the attack are [Energy Department] folks in a watering hole style attack compromising one federal department to attack another." He added that there was nothing unique to the Labor's database that made it more vulnerable than other large organizations' sites.

Ghosh warned, "No one is immune to these attacks. The federal enterprise isn't much different from corporate enterprises in terms of using older versions of Windows and Internet Explorer. As a result, these attacks are likely to be successful unless the target is using more advanced forms of browser protection software such as virtual containers."

Alien Vault Labs reported, "In addition we have found that the U.S Department of Labor website wasn't the only entity affected and we can confirm that at least 9 other websites were redirecting to the malicious server at the same time. The list of affected sites includes several non-profit groups and institutes as well as a big European company that plays on the aerospace, defense and security markets."

The security firm had previously warned that the malware could detect and disable the following antivirus products: "Avira, Bitdefender 2013, McAfee Enterprise, AVG 2012, Eset Nod32, Dr. Web, Microsoft Security Essentials, Sophos, F-Secure 2011, Kaspersky 2012, Kaspersky 2013." Furthermore, the Command and Control (C&C) protocol matched "with a backdoor used by a known Chinese actor called DeepPanda and described by CrowdStrike" [pdf]. Alien Vault Lab recommended that you search your logs for known domains and IP addresses.

"An attacker who successfully exploited this vulnerability could gain the same user rights as the current user," warned Microsoft before advising users to upgrade to Internet Explorer 9 or 10. After an investigation, Microsoft "will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs."

Although Microsoft advised users who will continue to use IE8 to "Set Internet and local intranet security zone settings to 'High' to block ActiveX Controls and Active Scripting in these zones," Metasploit blogged that "by itself, that will not mitigate -- the exploitation technique used here does not leverage ActiveX controls at all. So, while that is generally good advice, it will not help in this case."

Keep in mind that if you use IE8, but don't believe you are the right audience to be targeted, other cybercrooks will jump on this zero-day and target anyone that they can.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2013 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.