Microsoft patch fixed IE flaw used against U.S. military

Tucked within Microsoft’s September patch release was a fix for a vulnerability that had been used this year in a sophisticated attack aimed at stealing U.S. military secrets.

A proof-of-concept (PoC) exploit for the XMLDOM vulnerability, which Microsoft labeled cve-2013-7331, was first released in April 2013. The PoC was then “re-repurposed and abused” in the February attack against the U.S. Veterans of Foreign Wars’ website, Kurt Baumgartner, principal security researcher, Americas, for Kaspersky Lab, reported Thursday.

Experts believe the attackers were hoping to infect the computers of active military personnel visiting the site in order to eventually steal valuable information. The VFW has 1.4 million members, including 75,000 who are still active.

The sophisticated hackers had booby-trapped the site with a download exploiting XMLDOM and zero-day vulnerabilities within Internet Explorer, Baumgartner said. XMLDOM was used to determine if the Windows system was running Microsoft’s Enhanced Mitigation Experience Toolkit.

“If the parsed return code fails, it means EMET is not present and the attacker can proceed with the exploit,” Micrsoft wrote about XMLDOM.

If EMET was not present, the attackers downloaded a backdoor called “ZxShell,” which exploited a zero-day vulnerability in stealing files from victims’ computers, according to security vendor FireEye, which was the first to report on the VFW website attack.

“Microsoft’s security team quickly put out a patch for the related severe flaw — an IE zero-day remote code execution issue,” Baumgartner told CSOonline.

The ZxShell backdoor contacted a website hosted on an IP address linked to two other hacking campaigns, Operation DeputyDog and Operation Ephemeral Hydra, FireEye said. Both were suspected of originating in China.

Another patch released by Microsoft was for a Windows task scheduler escalation vulnerability that was reminiscent of a zero-day vulnerability exploited by the Stuxnet malware, Baumgartner said.

Stuxnet, discovered in 2010, was used in an attack that destroyed a number of centrifuges within Iranian nuclear facilities. The U.S. and Israel were behind the attack that dealt a significant blow to Iran’s nuclear development operations, according to The New York Times.

The remaining 36 Internet Explorer vulnerabilities enabled remote code execution on various versions of Windows, including the latest 8.1. That critical vulnerability affects IE version 10 and 11.

Besides IE, Microsoft patched a total of five vulnerabilities in .NET, the Windows Lync Server and the task scheduler. The four security bulletins released Tuesday addressed a total of 42 vulnerabilities.

While Microsoft rated the .NET vulnerability MS14-053 “important,” risk management vendor Qualys said it should be treated as “critical,” if a company has the ASP.NET framework installed with an Internet Information Services (IIS) web server.

“If left unpatched, remote un-authenticated attackers can send HTTP/HTTPS request to cause resource exhaustion, which will ultimately lead to denial-of-service condition on the ASP.NET webserver,” Wolfgang Kandek, chief technology officer for Qualys, said in the company’s blog.