Microsoft issued a widely expected security update today, addressing a serious zero-day vulnerability in Internet Explorer being actively targeted by cybercriminals.
The out-of-band security update repairs five vulnerabilities, all remotely exploitable. It affects users of Internet Explorer 6, 7, 8 and 9. The update is rated critical for affected versions of the browser running on Windows XP, Vista, Windows 7 and rated moderate for Internet Explorer running on Windows Server 2008.
"The most severe vulnerabilities could allow remote code execution if a user views a specially crafted web page using Internet Explorer," Microsoft said in its advisory. "An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user."
It took Microsoft less than a week to address the zero-day flaw, which was detected by a security researcher on Monday. A module was added to the Metasploit penetration platform and proof-of-concept code quickly spread. By Tuesday, Microsoft acknowledged the zero-day flaw and said it detected limited attacks targeting it.
MS12-063 addresses an error in the way Internet Explorer handles objects in memory that have been deleted. The coding error produces memory corruption, which could be used by a cybercriminals to execute malicious code and spread malware. An attack scenario involves luring victims to a malicious website, or a Web page containing malicious code embedded in an advertisement or user generated content, Microsoft said.
Eric Romang, the security researcher that detected the flaw, connected it to the Nitro gang, a cybercriminal group that frequently uses various exploits, including the recent Java zero-day, in targeted attacks.
Internet Explorer zero-day targeting industrial firms
Czech Republic-based antivirus vendor AVAST Software said that it detected the latest Internet Explorer flaw being used in conjunction with a variety of other exploits. Cybercriminal attack campaigns consisted of setting up a malicious website containing the exploits. The attacks used legitimate websites –mostly belonging to industrial manufacturers—that contained flaws, enabling attackers to embed malicious code in them.
The Internet Explorer exploit was accompanied with an exploit exploiting a vulnerability in Adobe Flash carrying a playload consisting of remote access tools, AVAST said. A Java exploit was also detected in the attack websites. AVAST said the websites may have been infected with Poison Ivy, an effective automated attack toolkit designed to steal credentials and spread malware.
"With the combination of the three exploits, the attackers have covered lots of users, as there is quite high probability that at least one of these will be unpatched on the user’s computer," wrote Jindřich Kubec, the director of the AVAST Virus Lab. "We can speculate that there may be a connection to the Nitro gang, which was sending targeted emails to such businesses with hidden RAT tools in order to extract data from the targets – so industrial espionage is the suspected motive of the attackers."
Researchers at San Mateo Calif.-based Alienvault said the attacks traced the ip addresses used by the attackers and found them registering fake domains with names associated with U.S. and U.K. defense contractors, aerospace and weapons parts manufacturers and suppliers.
"We also found a fake domain of a company that builds turbines and power sources used in several applications including utilities and power plants," wrote Jamie Blasco, manager of Alienvault's research labs.