Unpatched Internet Explorer vulnerability details emerge

Summary:The same gang that compromised whitelisting security vendor Bit9 many months ago appears responsible for a targeted campaign in Japan using an unexploited vulnerability in Internet Explorer.

We know a lot more about the unpatched vulnerability in Internet Explorer that Microsoft announced last week . Microsoft released a great deal of technical detail on it, and now network security firm FireEye has details on the targeted attacks that employed it.

When Microsoft initially disclosed the vulnerability they simultaneously provided a "Fix it" patch to mitigate it. A later TechNet blog on the vulnerability and patch goes into unusual detail about the vulnerable code and how the Fix it works.

The point of the exploit in Internet Explorer was in fact to load and exploit a Microsoft Office DLL, hxds.dll - identified as "Microsoft Help Data Services Module", which was compiled without ASLR (Address Space Layout Randomization) turned on. ASLR is a program build technique that randomizes the locations of different parts of the program in memory in order to block an exploit technique known as ROP for Return-Oriented Programming (a.k.a. "return to libc"). By loading hxds.dll through the exploit, the attackers were able to gain control of execution and run their attack. The TechNet blog goes on with more detail about how the Fix it works and how to use EMET 4.0 to mitigate.

Microsoft does not give any information on when a patch will be available to address the vulnerability or if it will include a copy of hxds.dll that is built with ASLR.

Meanwhile, Fireeye has discovered that this vulnerability was use to target organizations in Japan, going back perhaps more than a month and appear to be the work of the same group that compromised whitelisting company Bit9 earlier this year in order to facilitate other attacks . FireEye has labeled the campaign "Operation DeputyDog" after a string found in the payload.

FireEye provides details sufficient to allow security admins to identify and block attacks.

Topics: Security

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.