FireEye discovered a new zero-day exploit for IE in the wild – Operation Clandestine Fox

Pierluigi Paganini April 27, 2014

FireEye Research Labs has identified a new IE zero-day vulnerability exploited in a series of targeted attacks part of the Operation Clandestine Fox.

FireEye Research Labs has identified a new Internet Explorer (IE) zero-day vulnerability exploited in a series of targeted attacks. The zero-day flaw affects a wide range of versions of the popular browser, from IE6 to IE11, but experts at FireEye, observed the attack is targeting IE9 through IE11.

The impact of the zero-day exploit is significant because affected versions represent about a quarter of the total browser market according to NetMarket Share:

  • IE 9      13.9%
  • IE 10    11.04%
  • IE 11     1.32%

Also in this case the flaw is a remote code execution vulnerability, it allows attackers to bypass both ASLR and DEP, Microsoft has assigned to the flaw the code CVE-2014-1776 and issued a specific security advisory.

“Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”

The experts have identified an ongoing campaign named “Operation Clandestine Fox”, but haven’t provided further details on it to avoid interfering with the investigation.

“The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections.” reports the official post from FireEye.

While Microsoft confirmed that Enhanced Mitigation Experience Toolkit (EMET) could mitigate the threat, breaking the exploit in user’s environment, FireEye confirmed the attack will not work without the presence of Adobe Flash, this means that disabling the Flash plugin within IE will prevent the exploit from functioning.

“Does EMET help mitigate attacks that try to exploit this vulnerability? 
Yes. The Enhanced Mitigation Experience Toolkit (EMET) enables users to manage security mitigation technologies that help make it more difficult for attackers to exploit vulnerabilities in a given piece of software. EMET helps to mitigate this vulnerability in Internet Explorer on systems where EMET is installed and configured to work with Internet Explorer.” reports the advisory issued by Microsoft.

The experts at FireEye reported another intriguing detail on the investigation, the APT group responsible for this zero-day exploit “has been the first group to have access to a select number of browser-based 0-day exploits” in the past.

The group appears particularly active and adopted all necessary countermeasures to avoid to be tracked, the bad actors have different backdoors in their arsenal and never reused the same command and control infrastructures.

FireEye investigations allowed to the security industry to discover eleven zero-day vulnerabilities during 2013, the company analyzed almost 40,000 unique, advanced attacks, over 100 per day.

FireEye zero-day 2013

Stay tuned FireEye will provide further data as soon as possible.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  Microsoft zero-day, FireEye)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment