Managed Security Services

Emerging Threat: MS IE 10 Zero-Day (CVE-2014-0322) Use-After-Free Remote Code Execution Vulnerability 

02-19-2014 11:59 AM

EXECUTIVE SUMMARY:

FireEye published a blog on a new unpatched vulnerability in Microsoft Internet Explorer 10 (CVE-2014-0322) being exploited in the wild on 2/14/2014. The compromised website (vwg[.]org) was injected with an iframe that redirects the user to the attacker’s malicious page, which then runs a Flash file. The Flash file contains shell code and it downloads a PNG file from a remote site upon successful execution of the IE vulnerability. The PNG file has a DLL and EXE embedded at the bottom. The DLL launches the EXE which is the payload.

Data uncovered during Symantec investigation suggests a connection between this attack and the malicious actors known to Symantec as Hidden Lynx. The data indicates the same infrastructure is being leveraged as found in a previous attack by this group who used Backdoor.Moudoor.

 

THREAT DETAILS:

The target of this watering hole attack was the vfw[.]org (Veterans of Foreign Wars) website. While this attack was active, visitors to the site would encounter an Iframe which was inserted by the attackers in order to load a second compromised page (hosted on aliststatus[.]com) in the background. The Iframe img.html file loads a malicious tope.swf Flash file that exploits a vulnerability in Internet Explorer 10. Symantec detects the malicious Iframe as Trojan.Malscript and detects the malicious SWF file as Trojan.Swifi.

Exploitation of the vulnerability by the SWF file, leads to another download from the aliststatus[.]com domain in order to initiate the final stages of the payload. The first part of this download is a PNG image file named erido.jpg (detected as Trojan Horse) that contains multiple embedded binaries that are then extracted by shell code executed by the SWF file. The embedded binaries are named sqlrenew.txt, which despite the name is actually a DLL file (also detected as Trojan Horse), and stream.exe (detected as Backdoor.Winnti.C or Backdoor.ZXShell).

Additional code from the SWF file is responsible for loading the sqlrenew.txt DLL file. At this point the DLL takes over and launches a stream.exe process which is the final payload. This sample is responsible for connecting back to the attacker-controlled newss[.]effers[.]com server.

 

emergin-threat-blog.png

Figure:  Watering hole attack using IE 10 Zero-Day

 

IMPACT:

  • Users not running Internet Explorer 9 or 10, or running a browser native to Mac OS, are not vulnerable.
  • For Internet Explorer 9 or 10 users on Windows:
  • An attacker who successfully exploited this vulnerability could gain the same rights as the currently logged on user.
  • Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative privileges.

 

AFFECTED SOFTWARE:

  • Microsoft Internet Explorer 9
  • Microsoft Internet Explorer  10

 

UPDATE #1 - 2/20/2014:

  • Microsoft has confirmed that CVE-2014-0322 affects both Internet Explorer 9 and 10. 
  • Microsoft has issued the following security advisory:  Security Advisory 2934088
  • Microsoft has stated they have not seen any exploit code capable of triggering the vulnerability on Internet Explorer 9.

The chart below may help explain the risk by platform:

 

Windows XP

Server 2003

Windows Vista

Server 2008

Windows 7

Server 2008 R2

Windows 8

Server 2012

Windows 8.1

Server 2012 R2

Internet Explorer 6

Not vulnerable

n/a

n/a

n/a

n/a

Internet Explorer 7

Not vulnerable

Not vulnerable

n/a

n/a

n/a

Internet Explorer 8

Not vulnerable

Not vulnerable

Not vulnerable

n/a

n/a

Internet Explorer 9

n/a

Vulnerable,

not under attack

Vulnerable,

not under attack

n/a

n/a

Internet Explorer 10

n/a

n/a

Under attack

Under attack

n/a

Internet Explorer 11

n/a

n/a

Not vulnerable

n/a

Not vulnerable

 

MITIGATION STRATEGIES:

Microsoft Internet Explorer users who are concerned about this vulnerability and who are unable to patch their machines can follow these mitigation steps:

  • Symantec recommends customers use a layered approach to securing their environment, utilizing the latest Symantec technologies, including enterprise-wide security monitoring from Edge to Endpoint.
  • Upgrading to Internet Explorer 11 is the best way to stay safe from exploit attempts targeting this vulnerability.
  • Deploy the Enhanced Mitigation Experience Toolkit (EMET).
  • Install the Fix it workaround tool
  • Do not use out of date software, keep your operating system and software up to date with the latest versions and security patches.
  • Run all software as a non-privileged user with minimal access rights.
  • To reduce the impact of latent vulnerabilities, always run non-administrative software as an unprivileged user with minimal access rights.
  • Deploy network intrusion detection systems to monitor network traffic for malicious activity. 
  • Do not follow links or open email attachments provided by unknown or untrusted sources. 
  • Memory-protection schemes (such as non-executable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.
  • Symantec encourages users to apply all relevant patches when they are available.

 

SYMANTEC MSS SOC DETECTION CAPABILITIES:

MSS Detection

  • [MSS URL Detection] Backdoor.Winnti.C possible C&C traffic

Vendor Detection

  • Symantec AV
  • Trojan.Malscript (Malicious Web Page)
  • Trojan.Swifi (Malicious File)
  • Trojan Horse (Malicious DLL)
  • Trojan Horse (Downloaded PNG file)
  • Backdoor.Winnti.C (Payload)
  • SONAR.Heuristic.112
  • Suspicious.Cloud.2
  • WS.Trojan.H
  • Bloodhound.Exploit.540
  • Symantec IPS
  • Web Attack: Malicious SWF Download 19
  • Web Attack: MSIE Generic Browser Exploit 3
  • Snort/SourceFire
  • Cisco

 

REFERENCES:

 

We thank you again for choosing Symantec as your Managed Security Services Provider. Should you have any questions or feedback, please contact your Services Manager, or the Analysis Team can be reached by requesting help via phone, e-mail, or visiting the MSS portal at https://mss.symantec.com.

 

Global Client Services Team

Symantec Managed Security Services

https://mss.symantec.com

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.