Microsoft has announced on Friday that this month’s Patch Tuesday will include seven advisories, but unfortunately there will be no patch for the recently detected IE zero-day used in targeted watering hole attacks.
The vulnerability, first spotted being misused to target visitors of the website of the Council on Foreign Relations, a think tank specializing in U.S. foreign policy and international affairs, has since been detected being used in attacks that compromised a number of other websites, including Chinese human rights sites and the site of Capstone Turbine Corp.
Symantec researchers have linked the attacks to the Elderwood gang – a group of hackers that are believed to be working for the Chinese government and that concentrate on gathering and stealing intelligence (trade secrets, contacts, infrastructure details, intelligence for future attacks) and intellectual property (designs and plans) from an ever-increasing number of companies mostly located in the United States.
Their predilection for zero-day vulnerabilities has been well-documented, and their use of a function named HeapSpary (a mistype of Heap Spray) and other similarities discovered by the researchers between all these attacks seem to validate that conclusion.
Still, the worst news comes from researchers from security firm Exodus Intelligence: the Fix It tool released by Microsoft that supposedly reduces the attack surface of the vulnerability is flawed.
“Usually, there are multiple paths one can take to trigger or exploit a vulnerability,” Brandon Edwards, VP of Intelligence at Exodus commented for ThreatPost. “The Fix It did not prevent all those paths.”
They shared their working exploit with Microsoft, and have agreed not to publish it until the vulnerability is adequately patched. Still, that doesn’t mean that the attackers haven’t already figured it out for themselves.