Zero Day for Internet Explorer

Monday, April 28, 2014 @ 06:04 PM gHale


There is a Zero Day vulnerability in all versions of Internet Explorer seeing use in “limited, targeted attacks,” Microsoft officials said.

They are investigating the vulnerability and exploit and have not yet determined what action they will take in response or when.

RELATED STORIES
DDoS Techniques Changing
SQL Injection Attacks Still Fierce
Insider Threat: Firms Aware, but Take No Action
Insider Threat Scares DoD IT Pros

All versions of Internet Explorer from 6 through 11 are vulnerable as well as all supported versions of Windows other than Server Core. Windows Server versions on where IE runs in the default Enhanced Security Configuration are not vulnerable unless an affected site ends up placed in the Internet Explorer Trusted sites zone.

FireEye, which discovered the issue, said while the vulnerability affects all versions of IE, the attack is specific to versions 9, 10 and 11. It is a “use after free” attack in which memory objects in the browser end up manipulated after release. The attack bypasses both DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization).

The specific exploit uses an Adobe Flash SWF file to manipulate the heap with a technique called heap feng shui, the FireEye researchers said.

EMET, the Enhanced Mitigation Experience Toolkit, will also make it more difficult to exploit this vulnerability.

FireEye Research Labs identified the IE Zero Day. This Zero Day bypasses ASLR and DEP. Microsoft has assigned CVE-2014-1776 to the vulnerability and released security advisory to track this issue.

“Threat actors are actively using this exploit in an ongoing campaign which we have named ‘Operation Clandestine Fox,’” FireEye researchers said on a blog. “However, for many reasons, we will not provide campaign details. But we believe this is a significant Zero Day as the vulnerable versions represent about a quarter of the total browser market. We recommend applying a patch once available.”

According to NetMarket Share, the market share for the targeted versions of IE in 2013 were:
• IE 9: 13.9 percent
• IE 10: 11.04 percent
• IE 11: 1.32 percent

Collectively, in 2013, the vulnerable versions of IE accounted for 26.25 percent of the browser market. The vulnerability, however, does appear in IE6 through IE11 though the exploit targets IE9 and higher.

“The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections,” the researchers said on their blog.

“The exploit page loads a Flash SWF file to manipulate the heap layout with the common technique heap feng shui. It allocates Flash vector objects to spray memory and cover address 0×18184000. Next, it allocates a vector object that contains a flash.Media.Sound() object, which it later corrupts to pivot control to its ROP chain.”

“The SWF file calls back to Javascript in IE to trigger the IE bug and overwrite the length field of a Flash vector object in the heapspray. The SWF file loops through the heapspray to find the corrupted vector object, and uses it to again modify the length of another vector object. This other corrupted vector object is then used for subsequent memory accesses, which it then uses to bypass ASLR and DEP.”



Leave a Reply

You must be logged in to post a comment.