A zero-day vulnerability in Microsoft Internet Explorer 10 that security firm FireEye recently discovered in the wild has been spreading rapidly following initial reports that multiple gangs of hackers had likely bought it from a single third-party vendor. The attacks have prompted concern in the software security community and offer a reminder of the rapid speed at which cyberthreats can disseminate – a compelling reason to strengthen application security during the development phase.
According to Computerworld, FireEye first reported the vulnerability Feb. 13, noting that it had discovered a compromised website that used the exploit – which sidesteps address space layout randomization using Flash ActionScript – in a "classic drive-by download attack." The exploit will then download an encoded payload and execute it. Microsoft soon confirmed the vulnerability, and FireEye said it was working with the software company to resolve it. The flaw surfaced just two days after Microsoft released a major IE update that addressed 24 flaws, including 15 in IE10.
"The vulnerability is a remote code execution vulnerability," Microsoft stated in a Feb. 19 security advisory. "The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website."
A spreading problem
The same day Microsoft published its security advisory, which included mitigation tips, Seculert CTO Aviv Raff noted that two hacker groups appeared to be exploiting it separately using slightly different techniques. He explained to Computerworld that it's rare to see the same zero-day appear in separate places simultaneously and suggested that both groups had purchased information about the flaw from the same third-party source.
More recently, Symantec researchers published a Feb. 25 blog post stating that the exploit had become widespread and that "zero-day attacks are expanding to attack average Internet users" in addition to a few select persistent targets. The attacks experienced a sharp increase starting Feb. 22 and now appear to mostly be from the same source. Websites appear to have been modified to host the vulnerability or to contain an iframe redirecting the browser to another compromised site. The majority of sites affected are in Japan, but some in Hong Kong, the United States, Canada and China have been infected as well. In a successful attempt, the exploit drops a banking Trojan to steal login credentials from certain banks.
As Microsoft works to release a patch, the rapid spread of the exploit and its apparent availability on the black market should offer a firm reminder to vendors of how quickly a software security error can manifest itself as a major problem for users. Developers can institute more secure coding processes, such as using static analysis software during development, to catch errors before they are released into the wild.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.