2264763977_fbeb2e34ba_z-300x200

Hackers Already Exploiting Microsoft IE Zero Day ​in Federal, Financial Orgs.

Apr 28, 2014 By Sarah Vonnegut

Hackers are already busy at work exploiting a just-discovered zero-day security flaw in Microsoft’s Internet Explorer, posing a serious risk to up to 56% of the world browser market.

The vulnerability was found in all versions of the browser and as of today, “limited, targeted attacks” have been leveraged against IE versions 9, 10, and 11, though all versions 6 through 11 are vulnerable. Security firm FireEye discovered the flaw and reported it to Microsoft on Saturday.

Microsoft announced the vulnerability, CVE-2014-1776, on Saturday night and added that they are currently investigating the issue and will issue a security update as needed. The company says that by default, Microsoft Web Apps like Outlook, Outlook Express, and Windows Mail use Microsoft’s ‘restricted site zone’ that diminish risk of the exploit on those sites. However, many more sites accessed in Internet Explorer could still be used in an attack.

The Exploit:

The flaw “exists in the way that Internet Explorer accesses and object in memory that has been deleted or has not properly allocated,” the advisory states. In essence, it allows hackers to remotely exploit the browser by hosting a maliciously crafted site and getting IE users to access it, opening them up to drive-by downloads.

To be affected by the exploit, the victim would need to click on a link provided by the hacker, through links in emails or instant messages, which would take them to the attacker’s site. Once at the site, the hackers would be able to download malware on your system on the sly. The attacks which already took place used a well-known Adobe Flash vulnerability to exploit the victim’s browser.

The threat group terrorizing IE users with this exploit has previously been responsible for similar zero-day attacks. “They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure,” FireEye wrote. In other words, it’s pretty much all bad news for anyone on their ‘hit list’.

Major Issues Caused by the Flaw:

Employees with administrative user rights would give an attacker more power in exploiting the system once inside.  Admin rights would give the attacker the ability to install programs, delete or change data, and create or delete new user accounts, also with full administrative rights.

It’s especially alarming because of who the hackers exploiting the flaw have been targeting: very specific financial and defense organizations in the US, the security firm found. Considering that around a quarter of internet users were using IE to browse as late as this past January, this flaw is even more troublesome.

Organizations and individuals still running XP on their systems have an even bigger issue on hand. Microsoft ended it’s already extended support earlier this month, so the 15-25% of PC users still using XP are at an even bigger risk. About 10% of the US Federal Government’s systems still run on XP, putting thousands of classified military and governmental systems, not to mention millions of customers that use the 75% of ATMs using the outdated OS, at risk of vulnerabilities like the IE one – without a solution.

When a disclosure makes it to the “mainstream,” like this or Heartbleed for instance, we’ll see a much higher rate of exploits as hackers ‘catch on’ to the flaw. Now is the opportune time to implement a temporary fix for your system and network.

Temporary Fixes:

While we wait for an official patch from Microsoft, organizations and individuals concerned about being a target for these attacks should either use a different browser for the time being or download and employ Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) version 4.1. Additionally, FireEye suggests blocking the vulnerability by using IE in “Enhanced Protected Mode” as well as 64-bit process mode, which you can configure in your IE Internet Options settings.  Another method would be to disable the VML (vector markup language) support by switching off the IE extension labeled VGX.DLL.

A flaw of this size brings up concerns about just how secure the applications and tools we use on a daily basis just are. It’s another reminder of how vitally important it is to secure your SDLC to ensure secure applications from the first release.

For more on CVE-2014-1776 and workarounds, read here.

The following two tabs change content below.
Sarah is in charge of social media and an editor and writer for the content team at Checkmarx. Her team sheds light on lesser-known AppSec issues and strives to launch content that will inspire, excite and teach security professionals about staying ahead of the hackers in an increasingly insecure world.

Latest posts by Sarah Vonnegut (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.