Internet Explorer (IE) 6, 7 and 8 contain a Zero Day vulnerability attackers are using to hijack victims’ Windows computers.
The company is “working around the clock” on a patch, its engineers said. They have also released a preliminary workaround that will protect affected IE customers until the update is ready.
In a security advisory issued Dec. 29, Microsoft said attacks are taking place. “Microsoft is aware of targeted attacks that attempt to exploit this vulnerability through Internet Explorer 8,” the alert said.
Newer versions of IE, including 2011’s IE9 and this year’s IE10, do not suffer from the issue, Microsoft said. The company urged users to upgrade to those versions.
According to multiple security firms, hackers used the vulnerability to exploit Windows PCs whose owners visited the website of the Council on Foreign Relations (CFR), a non-partisan foreign policy think tank with offices in New York and Washington, D.C.
On Friday, FireEye confirmed earlier reports the CFR website suffered a compromise by attackers and was hosting exploit code as early as Dec. 21. As of mid-day Wednesday, Dec. 26, the site was still conducting “drive-by” attacks against people running IE8, said Darien Kindlund, senior staff scientist at FireEye, in a Friday blog.
Kindlund said the malware hidden on the CFR website used Adobe Flash Player “to generate a heap spray attack” against IE8. It wasn’t clear whether Flash also contained a Zero Day, or whether the attackers leveraged an already-known and previously patched vulnerability not fixed on the victims’ PCs.
On Saturday, Jaime Blasco, the labs manager at AlienVault, said the exploit was able to circumvent Microsoft’s anti-exploit technologies, DEP (data execution prevention) and ASLR (address space layout randomization), and successfully compromise Windows XP and Windows 7 PCs running IE8. He identified the IE bug as a likely “use-after-free” vulnerability, a type of memory management flaw.
AlienVault, said Blasco, had begun looking into the “watering hole” attacks stemming from the CFR website at the beginning of the week, and had alerted the Microsoft Security Response Center (MSRC) it suspected IE had a Zero Day.
In a watering hole campaign, hackers identify their intended targets, even to the individual level, then scout out which websites they frequently visit. Attackers next compromise one or more of those sites, plant malware on them, and like a lion waits at a watering hole for unwary wildebeests, wait for unsuspecting users to surf there.
Jonathan Ness and Cristian Craioveanu, engineers on Microsoft’s security team, provided some details on the IE flaw in a separate post to the Security Research & Defense blog.
They also said there is a “shim” available that can protect IE6, IE7 and IE8 users if they’re running the most up-to-date versions of those browsers.
Shim is a term used to describe an application compatibility workaround. Microsoft has applied shims in the past to help customers ward off active attacks against IE.