May 6, 2013
U.S. Department of Labor, U.S. Department of Energy Compromised
According to Computer World, a flaw in Microsoft’s most-used browser has led to a number of active exploits, “including watering hole-style attacks against the U.S. Department of Labor as well as nuclear weapons researchers with the U.S. Department of Energy.”
The software giant said in a security advisory late May 3 that it is hard at work on constructing a patch to fix the flaw. The company did not, however, announce when the patch would be released. The next regular security update is scheduled for May 14.
“The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated,” the security advisory reads. “The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”
Only Internet Explorer 8 has been targeted, Microsoft said, adding that versions 6,7,9 and 10 of Internet Explorer are not affected by the vulnerability.
Although news of the attacks first began circulating mid-last week, Microsoft did not confirm there was a problem until the evening of May 3.
Earlier in the week, security firm Invincea reported the watering hole attacks were exploiting an IE8 vulnerability (CVE-2012-4792) Microsoft had patched at the beginning of the year. The firm in a second blog post, however, admitted it had made an error, adding the zero-day exploit was an unknown vulnerability.
“This compromise is now widely believed to be a watering hole attack that involves compromising one Federal Dept (DoL) to target another (DoE),” wrote Invincea security engineer Eddie Mitchell. “Furthermore, AlienVault is reporting that the C&C protocol involved with this attack matches that of Chinese APT DeepPanda that has been previously analyzed by Crowdstrike.”
“The exploit on the DoL site appears to be exploiting a zero-day exploit affecting Internet Explorer 8 (IE8) only use-after-free memory vulnerability that when exploited allows an attacker to remotely execute arbitrary code,” he added.
Microsoft is urging all IE users to adhere to the tips offered in the Microsoft Safety & Security Center, including using a firewall, performing regular software updates and installing anti-malware software.
The following mitigating factors, as written by Microsoft, were included in the advisory:
• By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.
• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario.
• An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.