Attackers are using a critical Microsoft Internet Explorer (IE) flaw to target unsuspecting victims and gain control of their machines, according to researchers at Symantec Corp., who detected the exploit in the wild.
We have only seen limited attacks taking advantage of this vulnerability and believe the exploit is only being carried out in targeted attacks at present. Symantec advises all users to install the patch.
Joji Hamada, researcher, Symantec Corp.
The drive-by attack was detected on a compromised restaurant website. Attackers are targeting a Time Element Uninitialized memory Remote Code Execution Vulnerability in the browser. The flaw affects Internet Explorer 6, 7 and 8 running on all supported versions of Microsoft Windows.
The flaw is one of 11 IE vulnerabilities repaired by Microsoft June 18 as part of its Patch Tuesday round of security bulletins. Symantec researcher Joji Hamada said the exploit appears to be targeting users of IE 8.
“We have only seen limited attacks taking advantage of this vulnerability and believe the exploit is only being carried out in targeted attacks at present,” Hamada wrote in the Symantec Security Response blog. “Symantec advises all users to install the patch.”
The exploit was detected hidden in code on a compromised website hosting content for a neighborhood restaurant, according to Hamada. A user browsing to the website using IE 8 would automatically download the code hidden in an iframe tag that links to the server hosting the malicious code.
“It's likely that the attacker sends emails to targets with a link to the website with the intent to steal confidential information, which is a common method used in targeted attacks,” Hamada said.
Further analysis of the malware by Symantec found the attack includes a link to a website that may offer the cybercriminals statistical analysis. The downloaded malware connects to a dynamic DNS service used to either control the victim’s machine or upload more malware to steal sensitive information from the victim.
The flaw being targeted in the wild was discovered by NSFocus Information Technology Co. Ltd, a network security services firm based in Beijing. According to an advisory issued by NSFocus, the flaw exists in the browser itself without triggering additional ActiveX controls.
It is not uncommon for exploits to surface targeting Microsoft vulnerabilities shortly after the software giant issues patches fixing them. The 11 Internet Explorer vulnerabilities fixed by Microsoft included a repair blocking a “cookiejacking” issue, which would allow an attacker to acquire cookies from a user’s system and access websites they previously were logged in to. Robert McArdle, a researcher at Trend Micro wrote that cookiejacking poses a major risk to users.
“The vast majority of attacks are now hidden from view; you may not know that something malicious is taking place and even the result of user interaction may not throw up any obvious problem,” McArdie wrote.