More Victims in IE Zero Day

Thursday, January 3, 2013 @ 07:01 PM gHale


The watering hole attack exploiting an Internet Explorer Zero Day vulnerability did not just hit Council on Foreign Relations (CFR) site. It also hit a supplier to the energy industry.

A Metasploit contributor, Eric Romang, said Capstone Turbine Corp., which builds power generation equipment for utilities, suffered infection with malware exploiting CVE 2012-4969 since September and the latest IE exploit since Dec. 18.

RELATED STORIES
IE Zero Day
Google Bans Auto Install
Apache Malware Installs Zeus
Exploit Kit Guarantee

Meanwhile, a Metasploit module added into the exploit platform, which could rapidly increase the public availability of exploits.

Microsoft said it is still working on a security update for the browser vulnerability; as a temporary solution, it released a fix Monday.

Watering hole attacks use drive-bys to target visitors of particular websites; attackers infect the sites with malware that gives the attacker access to the victim’s computer to install more malware or monitor their activities. Watering hole attacks have seen use in previous advanced persistent threat (APT)-style attacks against Google, large manufacturers and technology companies.

Capstone figures to be a valuable target, Romang said, given its position in the energy community as a producer of microturbine energy products. He found the same malicious html file on the Capstone site as was on the CFR site.

IE 6, 7 and 8 contain the Zero Day, a use-after free vulnerability, researchers said. IE 9 and 10 do not suffer from the problem.

The CFR website has been under compromise since early December, Romang said. Attackers used a malicious Adobe Flash file called today.swf to launch a heap spray attack against IE, overrunning memory and enabling an attacker to remotely execute code on an infected computer. The Javascript hosting the exploit checks first to see if the Windows language is English, Chinese, Japanese, Korean or Russian before executing. It also uses cookies to ensure the attack only delivers once.

CFR is a foreign-policy resource; notable public figures are among its directors and membership. Those government and public officials are the likely targets of the espionage campaign.

Microsoft recommends users deploy the Fix It or update their browsers to the latest version. Microsoft’s Jonathan Ness and Cristian Craioveneau wrote in a blogpost the MSHTML appcompat shim modifies the vulnerable function to return NULL.

The vulnerability, Microsoft said, occurs in the way IE access an object in memory that ended up deleted or not properly allocated. Memory could end up corrupted and allow an attacker to execute code with the user’s privileges.



Leave a Reply

You must be logged in to post a comment.