IE8 Exploit Had US Nuke Workers in Its Sights
May 6, 2013 2:12 PM PT
A zero-day vulnerability in Internet Explorer 8 let hackers compromise a U.S. Department of Labor website linked to a database used by former Energy Department employees who had worked with nuclear weapons or uranium. That database was also used by Labor Department claims examiners.
Security firm Invincea, which reported the attack, has advanced the possibility that the hackers were compromising one U.S. government department in order to attack another.
Microsoft has released a security advisory which said other versions of Internet Explorer are not affected by the vulnerability, which could let remote attackers take over target computers.
"We strongly encourage customers to follow the workarounds listed in the advisory while we continue working on a full update to address this issue," Dustin Childs, a group manager at Microsoft Trustworthy Computing, told TechNewsWorld.
"Don't use Internet Explorer," Joe DeMesy, senior security analyst at Stach & Liu, told TechNewsWorld when asked what users could do to protect themselves, apart from taking standard precautions such as refraining from clicking on suspicious links or opening suspicious messages from strangers.
"Firefox, Chrome and Opera all offer substantially better security," DeMesy said. "However, it's still very important to keep IE patched, even if you don't use it on a regular basis."
Details of the Latest IE8 Flaw
The vulnerability exists in the way that IE accesses an object in memory that has been deleted or has not been properly allocated, Microsoft's advisory said. This could corrupt memory and possibly let an attacker execute arbitrary code on a victim's computer.
An attacker could create a website to exploit this vulnerability through IE and then lure users to the website, typically through a link in an email or Instant Messenger message that users would be tricked into clicking.
The flaw is a use-after-free vulnerability, Invincea said, and it was being exploited to install the "Poison Ivy" backdoor Trojan.
Security firm AlienVault claims that at least nine other websites, including several non-profit groups, institutes and an European defense contractor, were hit by the same attack. The company also contends that another malicious server is serving some of the malicious payloads found in the attack on the Department of Labor.
The department has taken its attacked site offline and is investigating the hack. It will keep the site offline until the investigations are completed, but to date no information appears to have been lost or compromised.
Comments on the Flaw
Windows has been hit repeatedly by memory vulnerabilities over the years, and one that hit in September led the German government to suggest people stop using IE.
"Memory corruption vulnerabilities are a classification of bugs that refuses to die," Stach & Liu's DeMesy said. "Programs like IE8, Chrome and Firefox are all written in languages like C or C++, all of which require the programmer to manually manage the computer's memory." That's a "very difficult" task and often results in exploitable bugs.
"Internet Explorer has been a huge target for any cybercrook because it is present in nearly any version of Windows," Bogdan "Bob" Botezatu , senior e-threat analyst at Bitdefender told TechNewsWorld. "It is also one of the few applications that is designed to interface with the Web at any time, and some of the code it accesses, such as this exploit in the wild, is designed to compromise its integrity."
Poison Ivy was the only payload seen in the initial attack. While it lets a cybercriminal gain control of a victim's computer and plant other malware on it, it "is relatively well known within the antivirus vendor community and is easy to flag as malware, therefore the malicious impact on a system secured with antivirus solutions is not as critical," Botezatu said.
Installing antivirus software is critical, but "new variants can be introduced on an ongoing basis, and antivirus is by definition a reactive measure [so] organizations must put additional layers in place to detect the unauthorized use of credentials by a rogue device," David Britton, a vice president at 41st Parameter told TechNewsWorld.
Microsoft has listed preventive steps for protection against Poison Ivy here.