The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows address space layout randomization (ASLR) and Data Execution Prevention (DLP).
Microsoft has assigned CVE-2014-1776 to the flaw and has released a security advisory noting that the vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within IE. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. The purpose, of course, is to gain control of the machine and lift sensitive information; an attacker who successfully exploits this vulnerability would gain the same user rights as the current user.
It should be noted that although the attack is going after IE9 through IE11, the vulnerability actually affects IE6 through IE11. And, it’s the first zero-day vulnerability that will not be patched for Windows XP users, as Microsoft ended support for the operating system on April 8.
“This is the first major known exploit of a vulnerability to affect Windows XP since the official end of support earlier this month,” said Simon Townsend, chief technologist of Europe at AppSense, in a comment to Infosecurity. “Recent research from AppSense suggests that as much as 77% of British businesses are running Windows XP in some capacity beyond the end of support deadline. Such organizations could be impacted by further exploits to this vulnerability as malware creators take further advantage of this security hole which will remain open, due to the end of patches and security fixes for Windows XP by Microsoft.”
He added, “By using an unsupported platform, organizations are taking a very real risk in terms of data security as highlighted by this exploit, and need to either move off XP or strictly control user rights and application usage.”
FireEye Research Labs identified the exploit and has determined that, for now, it’s being used in targeted attacks that are part of an ongoing campaign named Operation Clandestine Fox. The group has used IE, Firefox and Flash zero-days in the past, so the tactic is par for the course, FireEye said. The group also uses a number of backdoors, including one known as Pirpi, which it has used with zero-days before.
“They are extremely proficient at lateral movement and are difficult to track as they typically do not reuse command and control infrastructure,” researchers noted. As this is still an active investigation, FireEye said that it wouldn’t release further indicators about the exploit or the group for now, but it does break down the basic outline of the attack in its blog.
The zero-day is almost by definition significant considering that the targeted versions represent about a quarter of the total browser market. According to NetMarket Share, the market share for the targeted versions of IE in 2013 were: IE 9, 13.9%; IE 10, 11.04%; and IE 11, 1.32%. So, collectively, in 2013 the vulnerable versions of IE accounted for 26.25% of browser use.
That said, David Harley, senior research fellow at ESET, put things into perspective in an emailed comment. “Firstly, don’t panic,” he said. “The known attacks at present are limited in scope and volume. Being reasonably careful about which sites you visit is in itself likely to reduce the risk. On the other hand, users shouldn’t lapse into complacency.”
There’s no patch yet of course, but FireEye noted that the attack will not work without Adobe Flash – so, disabling the Flash plugin within IE will prevent the exploit from functioning. Also, Microsoft said that the Enhanced Mitigation Experience Toolkit (EMET) 4.1 and above may break the exploit and prevent it from successfully controlling the targeted computer. EMET versions 4.1 and 5.0 broke and/or detected the exploit in FireEye’s tests, as does Enhanced Protected Mode, which was introduced in IE10.
Symantec also found that unregistering a DLL file named VGX.DLL does the trick too – and this is the best option for XP users. This file provides support for VML (Vector Markup Language) in the browser.
“This is not required by the majority of users,” it said. “However, by unregistering the library, any application that uses the DLL may no longer function properly. Also, some applications installed on the system may potentially re-register the DLL. With this in mind, the following one line of instruction can be executed to make the system immune from attacks attempting to exploit the vulnerability. This line of instruction can be used for all affected operating systems: "%SystemRoot%\System32\regsvr32.exe" -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll."
Symantec has also developed a batch file that can be used to perform the task for those who may be required to administrate large IT infrastructures.
ESET’s Harley added that setting IE Active Scripting and ActiveX to prompt, which can be mildly irritating for a user, reduces the attack surface, “if you actually disallow it on prompt, unless you know you need it, or try disabling it altogether.”
He added, “The simplest route is to set IE security levels to ‘high’, or use Enhanced Protected Mode in IE versions that support it. As a way of generally decreasing the attack surface on an unsupported OS, Windows XP users should already be setting IE security level to ‘high’.”