Zero day vulnerability in Internet Explorer being used in targeted attacks, FixIt now available

Filed Under: Featured, Internet Explorer, Malware, Microsoft, Vulnerability

Microsoft releases fix for Internet Explorer security hole, full patch coming FridayInternet Explorer users beware, there is a new zero day (previously unknown, unpatched vulnerability) attack targeting your browser.

Microsoft has issued an advisory about the flaw and it is being referred to as CVE-2012-4792. Microsoft has also made a temporary FixIt available until it can deliver a formal patch.

The flaw affects users of Internet Explorer 6, 7 and 8, but not 9 or 10 and allows for remote code execution with the privileges of the logged in user.

Another poignant reminder that running your computer as a non-administrative user pays off when new flaws are uncovered.

Non-privileged users will severely limit the damage that can be done using a vulnerability like this one.

The vulnerability was initially discovered by FireEye on the Council on Foreign Relations website on December 27th, 2012.

SophosLabs has records showing the Council's website infected as far back as December 7th.

We have seen the exploit used on at least five additional websites suggesting the attack is more widespread than originally thought.

The attack appears to be closely related to attacks we reported on last June that were targeting visitors to a major hotel chain.

While the vulnerability being exploited is entirely different, the payload is nearly identical to the hotel attack and others we have associated with the Elderwood Project.

shutterstock-Wateringhole200While the attacks appeared to be targeted to a small number of sites, there is no obvious link between the victims.

Some are referring to this as a "watering hole" attack, but the evidence we have doesn't necessarily support that conclusion.

If you use Internet Explorer, be sure you are using at least version 9 to avoid being a victim of these attacks. If you can't upgrade, consider using an alternative browser until an official fix is available.

Microsoft's FixIt is intended as a temporary workaround that could also be considered, but until an official fix is available I recommend avoiding IE 8 and lower.

If further information becomes available, we will publish the latest here on Naked Security.

Sophos Anti-Virus on all platforms blocks this malware as follows:

Exp/20124792-B: Misc. files specifically associated with this attack
Sus/Yoldep-A: Encoded payload also seen in other Elderwood Project attacks
Troj/SWFExp-BF: Adobe Flash component
Sus/DeplyJv-A: JavaScript components evolved from earlier Elderwood Project attacks

Update: Microsoft recommends using its EMET tool for the best mitigation against this threat until an official patch is available. You can find more details in the MS Advisory.

Update 2: There are reports that researchers have been able to exploit this vulnerability even with EMET and the FixIt in place. While it may be possible, we have yet to see any in the wild attacks using these techniques.

Watering hole photo courtesy of Shutterstock.

, , , ,

You might like

17 Responses to Zero day vulnerability in Internet Explorer being used in targeted attacks, FixIt now available

  1. SCCMSTL · 609 days ago

    Why would anyone be using IE as far back as 6. Makes no sense No big deal here folks, move along...

    • Old Security Issues · 609 days ago

      Lots of web developers would like everyone to stop using IE 6 as well. But I digress....

      A lot of people also still use Windows XP. You can't use any IE version above 8 on XP.

      • SCCMSTL · 609 days ago

        Windows 7 is now well past the "break in" period. Time to move on from XP.

        • Hank Arnold · 609 days ago

          Easy fo r you to say. I support a non-profit Hospice with limited funds and a whole lot of computers that can't support W7.....

        • Home XP User · 609 days ago

          Yes, just supply us XP home users with a free PC and we'll gladly move on. My laptop works quite happily on XP and does what I need. (Just as well I don't use IE unless I absolutely have to.)

      • Darster · 607 days ago

        I have Windows XP and I'm using a 9

  2. Ken Uhlik · 609 days ago

    I have IE 10 and MSN keeps asking me if i want to update(???)to 9,but i don't use IE(I hate it)i am using Opera(much better -less stupid problems(Yahoo doesn't like it-but that's my choice))Windows 7/64 bit,it's only little problem is turning on the anti-virus(i have to do it manually everytime-ComodoDragon)but other that that,squat.IE 6,7,or 8,would not even work in windows7,so this just for XP users.

    • Get rid of MSN if possible.

      If you already have IE10, it might not help, but Microsoft has an IE9 blocker utility you can download free:
      http://www.microsoft.com/en-us/download/details.a...

      IE8 runs on Win7, and is the default browser upon installation of Win7.

      Using IE in itself is not that dangerous. When people neglect other aspects of security the major problems happen. still exposed to risk when using other browsers.

      ALL BROWSERS HAVE HAD SECURITY VULNERABILITIES AT SOME POINT.

      Microsoft has provided techies with an additional protection utility: EMET.
      http://blogs.technet.com/b/srd/archive/2012/05/15...

      • Using alternate browser in itself is not a secuity silver bullet. Alternate browsers are only one element in good security.

        Have good anti-virus/anti-malware, use "safe computing" practices, keep the operating system and other appllcations patched and you will be safer. If accessing a "secure" web site (for banking, medical, etc.), never have other web pages open in same browser.

        MalwareBytes or similar malware scanners are useful with anti-virus programs.

        Use a file/registry cleanup optimizer, such as CCleaner (free).

        Use boot-time disk defragementation utility, such as UltraDefrag, to improve performance so that security utilities/scanners run more optimally.

        FileHippo or Secunia PSI/OSI (free) can be used to check for needed patches/upgrades.

  3. benji · 609 days ago

    Is Sophos currently providing any protection for this? Or have plans to do so?

    • JimboC_Security · 608 days ago

      Hi benji,

      The gray box out at the end of the above blog post provides the answer to your question. I hope this helps.

      Thank you and Happy New Year.

  4. Ted · 608 days ago

    Come on guys, we all know many, way to many people in our lives when we say, hey you really need to buy a new computer or buy a new operating system and they look at you like you are asking them to buy a new car. With the same adamancy of never buy a new computer until it breaks completely.

  5. roy jones jr · 608 days ago

    Well thats their own decision to not buy a newer operating system. The easy lesson learned is by letting them know which is a preventative measure. The hard lesson is by them getting infected and if you tell them "I can't scavenge your data, everything is gone. I can reformat this but if you use the same OS, the same thing may happen again" usually THAT'S when they go ahead and get with the times.

  6. Gavin · 607 days ago

    Perhaps this would be a good time to bring up Microsoft's most excellent free tool, EMET. The Enhanced Mitigation Experience Toolkit, now at version 3.5, protects against exactly these sorts of zero-day vulnerabilities and should be mentioned a great deal more often, I think.

    I've been using it for a long time, both at home and rolled out to all older-than-WIndows-7 machines at work. It's free and just makes sense.

    • JimboC_Security · 607 days ago

      Hi Gavin,

      Thanks for raising this point.

      The Microsoft Security Advisory linked to by Chester above mentions EMET but you are right, EMET isn’t mentioned enough.

      The reason why this zero day exploit works is that it bypasses DEP using Return Oriented Programming. The current exploit is bypassing ASLR by using a Java DLL or Microsoft Office DLL that are known to be loaded at pre-determined locations. Since EMET by default forces mandatory ASLR these DLLs are no longer loaded at known locations and thus ASLR cannot be bypassed.

      Other benefits of EMET for this exploit include: EMET pre-allocates commonly heap sprayed memory locations when enabled for IE, thus this exploit is blocked by EMET. EMET’s EAF mitigation also blocks the shellcode used in this exploit. All of these details are mentioned in the following Microsoft blog post:
      http://blogs.technet.com/b/srd/archive/2012/12/29...

      One thing I should point out is that EMET is not a perfect tool. It makes exploiting a flaw significantly harder but not impossible. It can also cause issues with certain programs. I would advise thorough testing and also consulting the following EMET forum thread that details known application incompatibilities:
      http://social.technet.microsoft.com/Forums/en/eme...

      Note: The 3.5 version is a Tech Preview version and is not yet fully supported. v3.5 is extremely reliable but again is yet not a fully supported version.

      I hope the above information is of assistance. Thank you.

  7. roy jones jr · 606 days ago

    When the fully supported version arrives, I'll get it.

    • JimboC_Security · 606 days ago

      Hi Roy Jones Jr,

      You don’t need to wait for the fully supported version of EMET to be released.

      The latest fully supported version is v3.0. It is available from the following link:
      http://www.microsoft.com/en-us/download/details.a...

      Additional info about this version is available from the following links:
      http://support.microsoft.com/kb/2458544
      http://blogs.technet.com/b/srd/archive/2012/05/15...

      I am using EMET 3.0 and it works extremely well. So well in fact that I don’t notice it anymore i.e. once the initial configuration is completed it rarely needs further attention.

      If instead you are referring to the final security update for this flaw, this doesn’t appear to be scheduled for release next Tuesday. Until it is released, please use the Fix It Solution mentioned by Chester above.

      I hope this helps. Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.