IE PoC Released, Attackers Pounce
Monday, July 18, 2016 @ 04:07 PM gHale
Neutrino exploit kit developers added a just-patched Internet Explorer (IE) bug after researchers published a proof-of-concept (PoC) exploit.
It all started with two remote code execution vulnerabilities in the JScript and VBScript scripting engines used in Windows that ended up patched in May. The flaws, tracked as CVE-2016-0187 and CVE-2016-0189, could end up exploited through IE for which Microsoft released a separate security bulletin.
Symantec reported CVE-2016-0189 ended up exploited in targeted attacks aimed at users in South Korea before Microsoft fixed the vulnerability. Experts said the attackers likely delivered the exploit via compromised websites or spear-phishing emails.
Researchers from Austin, TX-based security R&D startup Theori last month analyzed Microsoft’s patch and created a PoC exploit for CVE-2016-0189, which they successfully tested on IE 11 running on Windows 10.
After the researchers published the exploit code, however, developers of the Neutrino exploit kit took it and adapted it, said researchers at FireEye.
The vulnerability resides within scripting engines in IE and suffers from exploitation in an effort to achieve Remote Code Execution (RCE).
In Neutrino attacks, attackers use an Adobe Flash file to deliver exploits. In the attacks observed by the security firm, the Flash file, which profiles the victim’s system in order to determine which exploit to use, included exploits for five vulnerabilities – three for Flash Player and two for IE.
The exploit added to Neutrino is identical to the one published by researchers, FireEye said. The only difference, they said in a blog post, is in the code that runs after initial control. While the PoC exploit ended up tested on Windows 10, experts believe attackers might be able to adapt it for older versions of the operating system as well.