Microsoft IE Has Serious Flaw, Someone Has Been Exploiting it for a Year
April 29, 2014 11:00 AM
comment(s) - last by
No fix will come for most Windows XP users
Microsoft Corp. (
a security advisory
threat database entry
this week after a flaw was discovered that affected virtually every active version of Internet Explorer (IE), from IE6 to the latest and greatest IE 11.
I. Who Isn't at Risk
The zero-day flaw was discovered by
, which is known for its Mandiant division that assists corporate and government users with repelling attacks. Many readers will recall that Mandiant
assisted the U.S. government in identifying and tracking
sophisticated hacking squad within China's army
-- Shanghai-based People's Liberation Army Unit 61398.
The flaw won't work on many corporate distributions as since Windows Server 2003, a mode called "Enhanced Security Configuration" (ESC) has been included which sandboxes and restricts the privileges of the browser. ESC is the default in all modern versions of Windows Server (since WS 2003), so unless you explicitly turn off ESC you should be safe.
Microsoft Outlook, Microsoft Outlook Express, and Windows Mail
open messages in IE, but even in consumer versions of Windows they do so in a restricted mode, which disables script and ActiveX controls by default.
Outlook and Windows Mails' restrictions prevent IE from being exploited via malicious links to sites with the freshly found IE flaw. [Image Source: Tested.com]
Those restrictions should eliminate the attack. However, those using a third-party client such as Mozilla's Thunderbird with IE set as the default browser are still at risk.
II. How it Works
The flaw involves so-called
heap feng shui
. The exploit is pretty sophisticated, involving loading allocating and corrupting objects for the third party Adobe Systems Inc. (
The exploit takes advantage of a flaw in IE's handling of Flash objects. [Image Source: Adobe]
In the end you get a vector that can be used to point to arbitrary memory, effectively stripping away
Windows' ASLR (address space layout randomization) and DEP (Data Execution Prevention) memory protection algorithms
. These algorithms are designed to prevent programs from looking at other programs’ memory for either snooping or memory injection purposes.
Again, here we come into a limitation of the bug -- it only allows unprotected memory access within the logged in user's account. So unless a logged in administrator foolishly visits an attack page, the initial damage is limited. However, a savvy attacker could bide their time and test other potential exploits after gaining user access, eventually working their way to root.
In that regard, the attack can be viewed as IE -- and by proxy, the Flash Plug-in -- granting the attacker a foothold in the system.
Every modern version of IE for client computers is at risk from the serious flaw.
Microsoft says this foothold can be used for a number of ill-purposes including:
changing data (memory injection)
installing malicious programs
creating accounts to give attacker full user rights
III. Who is at Risk
Despite the aforementioned limitations (no root, limited opportunities for attacking Windows Server), the attack is still quite dangerous for a few reasons.
First it's relatively rare to find a flaw that affects all versions of IE (but certainly not unprecedented). Such flaws -- even if weaker in practice --
are a major threat by merit of IE's market share alone
, which is typically spread over several recent versions. Fire Eye estimates that over a quarter of Windows users browse using recent versions of IE and are vulnerable.
Second, the attack code does not need any sort of unusual offline tactics, so it's possible to host a webpage that performs the entire attack. This opens a wealth of possibilities for click-baiting in emails, luring users to innocent sound URLs that are really attack pages.
Attackers could use click-baiting to draw users to malicious webpages that exploit the flaw. [Image Source: iStock Photo]
As mentioned, many enterprise users may not be at risk on the server side, but on consumer and enterprise client side, it's a far different story. For those who use IE as their daily browser, you run a risk that any website you visit could exploit the flaw in the browser's security.
IV. Active Exploits Target U.S. Banks, Defense -- NSA? China?
Aside from the higher than normal threat level for the bug, another thing that makes this an attention-catching discovery is the fact that Fire Eye appears to have discovered the bug while probing an attack in the wild. It has uncovered a series of attacks that it dubs "Operation Clandestine Fox".
Fire Eye's Vitor De Souza describes the observed attacks in an interview with
It's a campaign of targeted attacks seemingly against U.S.-based firms, currently tied to defense and financial sectors. It's unclear what the motives of this attack group are, at this point. It appears to be broad-spectrum intel gathering.
Someone has been exploiting the IE flaw in the wild for the last year to target the U.S. banking and defense industry -- one prime suspect is China. [Image Source: DMM News]
At this point it is unclear who performed these attacks. China has long been accused of carrying out attacks on the U.S. financial and defense sectors. But the issue became muddled by recent disclosures of spying by the
U.S. National Security Agency
The details of the NSA's spying campaigns make it clear that determining the attacker is now a much harder matter, as the NSA often reportedly
targets American businesses and citizens alike
with attacks, which it claims protect national security. Some of these attacks are routed through servers housed in regions known for cyber-aggression such as China, raising the risk of false identification (likely the intention).
Likewise, the NSA
regularly uses networks of infected computers (botnets)
. The NSA has been accused of
exploiting for nearly two years the recently discovered flaw in the OpenSSL
encryption protocol's heartbeat feature, a flaw popularized in the media under the name "Heartbleed". While the NSA denied those claims, its internal slides do indicate that it targets the financial sector and that it stockpiles zero day vulnerabilities designed to escalate privileges and/or bypass encryption.
The NSA is another possible proprietor of the attack. [Image Source: Occupy]
Thus at this point the attacker in this campaign to exploit IE's Flash and scripting flaw appears to be highly sophisticated, pointing to a handful of the usual suspects -- the NSA, China, and Eastern European cybercriminals. Whoever's behind these attacks, though, Fire Eye says it believes they have been going on for about a year now.
V. Patching Outlook and How to Protect Yourself
Microsoft is working to patch the flaw in newer versions of Internet Explorer and Windows. But many users of Windows XP -- the
most used operating system of last decade
-- are in the dark after
support to most SKUs of Windows XP ended earlier this month
. Point-of-sale versions of Windows XP are being maintained, and Microsoft has pledged to offer proprietary fixes to a handful of large enterprise users willing to pay it a ransom for the ongoing support. However, for the majority of XP users -- including enterprise clients -- no fix is in sight.
The Windows OS maker's suggestion to customers at risk is to upgrade to a newer version of Windows such as Windows 7 or Windows 8.
Microsoft says the flaw -- which will not be patched on most Windows XP installations -- is one more reason to "turn off" Windows XP and upgrade.
those who refuse to give up XP
, there are some easy steps that can be used to protect the attack:
Don't visit untrusted webpages, don't click on links in email, instead navigate to webpages yourself (this should protect in almost all cases, but requires constant discipline and vigilence)
Disable the flash plug-in
If you do click URL links ine email, only do it in Outlook (which is protected), not in third party clients
Stop using IE altogether -- adopt a third party browser (e.g. Firefox) that isn't at risk
Any or all of those strategies should protect users on recent platforms who are waiting for a fix, and users on the dying Windows XP platform, which may never receive a fix.
Microsoft [TechNet Security Advisory]
Fire Eye [Blog]
This article is over a month old, voting and posting comments is disabled
4/29/2014 12:06:30 PM
Found this solution to mitigate the latest IE vulnerability. Seems like an
easy mitigation with minimal impact to users.
Attacks exploiting the vulnerability also can be foiled by disabling the VGX
library, an antique bit of code that's used to render the Vector Markup
Language in the browser.
"VML should be disconnected as quickly as possible, and it probably doesn't
make any sense to ever reconnect it," Wolfgang Kandek, CTO of Qualys, told
the E-Commerce Times. That can be done by running from the command line in
regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll."
Unlike some of the other measures recommended by Microsoft, disabling the
VGX library will have a minimal impact on a Web-surfing experience. "It only
affects you if you go to a page with VML on it," Kandek said, "and those
pages are hard to find." What's good about the VGX solution is that it works
on all versions of Windows -- even XP, which lost its Microsoft support on
April 8 and won't receive a bug patch, when it's released.
"This time XP users are extremely lucky that a piece of code that nobody
needs was involved in a flaw," Kandek said. "Next time," he continued, "it
may be a piece of code that's important to HTML processing. Then it will not
be that easy to deactivate the code."
RE: Easy Fix
4/29/2014 9:44:57 PM
If you are still using XP, then it is a good idea to use a different browser anyways. The latest Chrome version works great on XP, and gives a better user experience than the old version of IE. That said, my job involves connecting remotely to machines around the world, using various network and VPN solutions. With several customers, I can only get a reliable connection with Windows XP and IE. I'm running Windows 8, but use an XP virtual machine for this.
RE: Easy Fix
4/30/2014 11:29:49 AM
No one should ever use IE at all. It's just not worth it.
Use Opera, Firefox, or Chrome.
RE: Easy Fix
5/1/2014 6:01:50 AM
Symantec has also posted this fix:
However, Symantec also says:
"Symantec protects customers against this attack with the following detections:
Web Attack: MSIE Use After Free CVE-2014-1776"
So I assume, since I have NIS 2013 installed, I am already protected. I hope.
"A lot of people pay zero for the cellphone ... That's what it's worth." -- Apple Chief Operating Officer Timothy Cook
Chinese Government Says Windows 8 is too Expensive, Will Cling to XP
April 23, 2014, 9:45 AM
EFF: NSA May Have Used IRC Botnets to Exploit Heartbleed for Last Two Years
April 14, 2014, 4:43 PM
Comcast Voted Worst Company in America for 2014
April 8, 2014, 4:07 PM
Report: Windows XP Still Running on Over 25 Percent of PCs
April 1, 2014, 2:08 PM
European Commission Calls for Less U.S. Influence on the Internet
February 12, 2014, 11:59 AM
Mozilla Promise Punctual Windows 10 Firefox Release, Teases at iOS Arrival
July 7, 2015, 3:08 PM
Netflix Announces 7-to-1 Stock Split, Eyes Explosive Overseas Growth
June 23, 2015, 8:18 PM
Sources: Hack on Fed. Database Lost 4.1M Social Security Numbers, Personal Info
June 11, 2015, 9:11 PM
The Big One: Chinese Hackers Steal Records of 4 Million U.S. Gov. Employees
June 4, 2015, 8:13 PM
Tutorial: Here's How to Force YouTube or Vimeo VIdeos to Embed as HTML5
June 3, 2015, 10:14 PM
Google Finally Fixes Maps Bug That Was Giving Racist, Profane Results
May 21, 2015, 1:43 PM
Most Popular Articles
F-16 Schools Trillion-Dollar F-35 in Mock Combat, Fleeing is Best Option Pilot Admits
July 1, 2015, 5:53 PM
Apple Music: The Money, The Launch Hiccups, and the Nitty Gritty Details
June 30, 2015, 5:09 PM
Apple iOS 8.4 Rolls Out w/ Fix to Crash-Causing Unicode Text
June 30, 2015, 3:24 PM
Windows XP, Vista Users Can Get Free Windows 10 Upgrade Thanks to Loophole
June 23, 2015, 2:23 PM
Quick Note: Lumia 940 XL "Cityman" Phablet Gets Teased Via Tests
June 29, 2015, 5:51 PM
Latest Blog Posts
Sceptre Airs 27", 120 Hz. 1080p Monitor/HDTV w/ 5 ms Response Time for $220
Dec 3, 2014, 10:32 PM
Costco Gives Employees Thanksgiving Off; Wal-Mart Leads "Black Thursday" Charge
Oct 29, 2014, 9:57 PM
"Bear Selfies" Fad Could Turn Deadly, Warn Nevada Wildlife Officials
Oct 28, 2014, 12:00 PM
The Surface Mini That Was Never Released Gets "Hands On" Treatment
Sep 26, 2014, 8:22 AM
ISIS Imposes Ban on Teaching Evolution in Iraq
Sep 17, 2014, 5:22 PM
More Blog Posts
Copyright 2015 DailyTech LLC. -
Terms, Conditions & Privacy Information