• United States



Microsoft warns Internet Explorer 6 to 11 vulnerable to zero-day spotted in the wild

Apr 27, 20143 mins
Data and Information SecurityEnterprise ApplicationsMicrosoft

FireEye researchers spotted a new zero-day in the wild, with all versions of IE vulnerable, but with IE 9 -11 being targeted for 'Operation Clandestine Fox.'

“Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11,” states a security advisory for CVE-2014-1776 that Microsoft released late on Saturday.

FireEye Research Labs identified this new zero-day that is actively being exploited in an ongoing campaign dubbed “Operation Clandestine Fox.” The zero-day is “significant” since the vulnerable versions of Internet Explorer “represent about a quarter of the total browser market.” More specifically, FireEye said the “vulnerability affects IE 6 through IE 11, but the attack is targeting IE 9 through IE 11. This zero-day bypasses both ASLR and DEP.”

Microsoft said:

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

FireEye said, “The APT group responsible for this exploit has been the first group to have access to a select number of browser-based 0-day exploits (e.g. IE, Firefox, and Flash) in the past. They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure.”

Although the researchers’ investigation is still ongoing, they explained some exploitation details, as the “exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections.”

During a BSides presentation in February, a Bromium Labs’ security researcher bypassed “all of the protections” in Microsoft’s free Enhanced Mitigation Experience Toolkit (EMET) 4.1. Shortly thereafter, Microsoft released a tech preview of EMET version 5. However, FireEye researchers are recommending EMET as mitigation for the current zero-day exploiting IE.

Using EMET may break the exploit in your environment and prevent it from successfully controlling your computer. EMET versions 4.1 and 5.0 break (and/or detect) the exploit in our tests. Enhanced Protected Mode in IE breaks the exploit in our tests. EPM was introduced in IE10. Additionally, the attack will not work without Adobe Flash. Disabling the Flash plugin within IE will prevent the exploit from functioning.

Microsoft is currently investigating and working on a fix, but here we venture into a zero-day being exploited in the wild after security patches for XP have come to an end. However, XP was stuck on IE 8, which is vulnerable but not currently being targeted for “Operation Clandestine Fox.”

Like this? Here’s more posts:

  • Twice as many desktops still running Windows XP than Windows 8, 8.1 combined
  • IP address does not identify a person, judge tells copyright troll in BitTorrent case
  • Forget physical access: Remote USB attacks can blue screen Windows servers
  • When student recorded bullies with iPad, school claimed it was felony wiretapping
  • Data breach report: 9 attack patterns describe 92% of 100,000 security incidents
  • Record and rewind: Cops quietly test aerial surveillance to track crime
  • Fake police warning leads to murder-suicide: Deaths due to ransomware?
  • Windows 8.1. Update required for future Windows 8.1, Server 2012 R2 security patches
  • How to change Windows 8.1 to local account with no Microsoft email account required
  • Would you be on Project Insight kill list from ‘Captain America: The Winter Soldier’?
  • Research: Attacks on HTML5-based apps infect smartphones, spread like a ‘worm’
  • USA world rankings: #1 for sending spam, #8 for Netflix streaming speeds

Follow me on Twitter @PrivacyFanatic

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.