IE zero-day used in targeted watering hole attacks
News that an Internet Explorer zero-day vulnerability was being and has been for quite some time been used in a new “watering hole” attack has livened the otherwise uneventful last week of 2012.
The exploited website was that of the Council on Foreign Relations, an organization, publisher, and think tank specializing in U.S. foreign policy and international affairs, among whose members are a number of high-profile U.S. government and political figures such as former secretary of state Madeleine Albright, former treasury secretary Robert Rubin, and many others.
According to security researcher Eric Romang, the website seems to have been compromised as early as December 7, and possibly even earlier.
FireEye’s researchers have been alerted to the compromise on December 27 and proceeded to analyze the attack and discover its use of a previously unknown Microsoft Internet Explorer vulnerability.
Visitors to the website who used IE 6,7, or 8, had Flash and Java 6 installed, and had the OS language set on U.S. English, Chinese, Taiwan Chinese, Russian, Korean or Japanese were unknowingly redirected to a page serving a malicious Shockwave Flash File (today.swf) that would trigger the vulnerability. Others were redirected to a blank page.
“When the Flash object was loaded, it performed a heap-spray and injected the shellcode used to locate the xsainfo.jpg file, decode it, and store it in the %Temp%/flowertep.jpg file, Symantec’s researchers explained. “Next, a request was sent for the robots.txt file which gets de-obfuscated and then used to load the malicious payload (flowertep.jpg) using techniques to by-pass DEP and ASLR on Windows 7.”
All this was performed to ultimately allow a secret download of a variant of the Bifrose backdoor, which would give the attackers access to the targeted machines, which largely belong to U.S. users.
Upon the discovery of the attack, Microsoft began working on a patch. They issued a security advisory warning the public about this zero-day ‘CDwnBindInfo’ use-after-free remote code execution vulnerability.
The flaw affects only IE versions 6, 7 and 8, so users are advised to update to IE 9 or 10 in order to avoid being compromised, or to install Microsoft’s “Fix it” solution that reduces the attack surface of the flaw by applying workaround configuration changes.
“Applying this workaround will not interfere with the installation of the final security update that will address this issue,” stated Microsoft’s Cristian Craioveanu, but advised on uninstalling the workaround once the final security update is installed because it has a small effect on the startup time of Internet Explorer. There’s no word yet on when we can expect the security update.
In the meantime, Sophos researchers have also begun analyzing the attack and are claiming that the same exploit was spotted being used on at least five additional websites.