New Internet Explorer 10 zero-day exploit targets U.S. military

New Internet Explorer 10 zero-day exploit targets U.S. military

Summary: A new zero-day exploit within IE 10 has been discovered in what is called "Operation Snowman," resulting in rapid investigation by Microsoft.

SHARE:
TOPICS: Security
65

Hackers are actively exploiting a newly discovered zero-day flaw within the browser Internet Explorer 10, and have used it in a watering hole attack on the U.S. Veterans of Foreign Wars' website.

Discovered by security researchers from FireEye and dubbed "Operation Snowman," the campaign -- believed to be operating out of China -- is similar to Operation DeputyDog and Operation Ephemeral Hydra, both of which used zero-day flaws to deliver remote access trojans in order to hit strategically important targets.

According to the researchers, the zero-day exploit in Operation Snowman (CVE-2014-0322) is a "classic drive-by download attack," a phrase relating to browser-based attacks that hoodwink website visitors in to visiting malware-infected sites. The security firm says the attackers added an iframe to the VFW website's HTML code which then loaded the infected page in the background. When this code is loaded within the IE 10 browser, a Flash object is ran which downloads, decodes and executes an XOR-encoded payload from a remote server.

Following the discovery of the flaw, Malwarebytes researcher Jerome Segura tested the exploit and was able to reproduce a successful infection on Windows 7, Internet Explorer 10 with the latest version of the Flash Player. As Segura notes, the security flaw is "a use-after-free bug that gives the attacker direct memory access at an arbitrary address using a corrupted Adobe Flash file. It then bypasses both Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP)."

IE10infection
Credit: Malwarebytes

However, if a user is browsing with a different version of IE or has installed Microsoft’s Experience Mitigation Toolkit (EMET), the exploit will not function.

"A possible objective in the SnowMan attack is targeting military service members to steal military intelligence," FireEye researchers say. "In addition to retirees, active military personnel use the VFW website. It is probably no coincidence that Monday, Feb. 17, is a U.S. holiday, and much of the U.S. Capitol shut down Thursday amid a severe winter storm."

FireEye and Microsoft are currently collaborating as part of an investigation in to the IE 10 flaw and subsequent exploit. The Redmond giant has confirmed the vulnerability, stating:

"Microsoft is aware of targeted attacks against Internet Explorer, currently targeting customers using Internet Explorer 10. We are investigating and we will take appropriate actions to help protect customers."

Disclosure of the security problem comes two days after Microsoft released a large swathe of update patches for Internet Explorer editions. In total, seven updates have fixed 32 vulnerabilities, and an update for IE 10 alone contained 15 flaw fixes.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

65 comments
Log in or register to join the discussion
  • Funny how Flash always get's mentioned?

    Let's bash IE all we want because its true the connection to Windows is still too close with IE.
    But Adobe Flash always seems to be the door for access with these malware infections. I myself still have to use IE for Enterprise but I have done so with no add ons like Flash player.
    This solution seems like the only safe way to use IE. If you want to view Flash content the best solution seems to be Chrome or Firefox with a click Flash add on.
    JohnnyES-25227553276394558534412264934521
    • Just say no to Flash already!

      JohnnyES is right. Flash Player has got to be the most exploited piece of software ever, even after 5+ years of Adoby constantly fixing it. I doubt they will ever properly clean it up -- it needs to be re-written from the ground up. So pathetic. IE people, use Chrome or Firefox for crikey's sake!
      Compute_This
      • Flash... Don't forget Java

        Java is the number one source of exploits. Flash is obviously bad too.
        Over 91% according to recent Cisco security report:

        http://www.afterdawn.com/news/article.cfm/2014/01/20/cisco_java_exploits_behind_90_percent_of_security_attacks
        klashbrook
      • Internet Explorer

        So does Internet Exploder, that needs to scrapped together with the third rate code writers.The trouble with microsoft is they use their customer base as the QC management.
        bobmattfran
        • Who doesn't?

          Every single virus of the three I have had since Flash was released with "Active Content" came through a flash ad.
          RyuDarragh
    • Is that why

      Apple has prohibited anything remotely resembling Flash from Adobe from all their mobile devices and no longer includes it in OS X?
      arminw
      • re: Is That Why

        Yes, along with Apple's pushing for the HTML5 video tag. The only reason flash was ever used is because there was no video tag in HTML and no standard way to support playing video. Unfortunately, the video tag has been a debacle because the software patents in and around video codecs have literally made it impossible to write a new open standard video codec, even from scratch. In spite of the efforts of Apple, HTML, and others, we can thank MPEG and the US Patent and Trade Office for the continued forcing of Flash down our throats.
        Jaybus
    • IE is the only one to blame.

      Seriously if you knew there were a group of individuals right outside the door that weren't going to leave carrying assault weapons "Flash and Java" but had to leave the premises to go to work would you.....

      Drive out of the garage in a ill engineered flashy convertible with the top down, or an armored car? Good luck in that flashy convertible B.T.W.
      gdm40
    • Mr Troll, sorry, but no.

      The flaw is clearly stated as being limited only to IE version 10, not FlashPlayer.
      Rikkrdo
      • Did you miss this?

        "the security flaw is "a use-after-free bug that gives the attacker direct memory access at an arbitrary address using a corrupted Adobe Flash file"
        scottcp36
        • Vulnerability analysis

          Vulnerability analysis

          The vulnerability is a previously unknown use-after-free bug in Microsoft Internet Explorer 10.

          http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html
          RickLively
        • And,

          Did you miss that it ONLY is exploitable in IE10? Not IE9, not IE8, not Firefox, not Chrome.... IE10. If the exploit doesn't work in all the other browsers, how is it that it's the fault of Flash?
          benched42
          • Well,...

            Since Adobe Flash is the vector and the flaw in IE 10 is likely one of weak permissions checking (you can reproduce this flaw in 8, 9 and 11 if you set your permissions badly), I'd say using a browser that has proper checks and leaving Flash in its current state is a bit like wearing latex gloves to feed a rabid animal.
            RyuDarragh
          • The flaw is explicitly stated to be a "use after free" bug in IE.

            That means that IE is doing Bad Things with its memory management, and Flash is merely the delivery system here.

            Please stop trying to rewrite the article.
            Zogg
    • ??? Funny how Flash always get's mentioned?

      .
      .
      .
      FLASH is EVIL
      .
      .
      .
      fm.usa
  • Does this affect IE11 too?

    And IE8, IE9 for that matter.
    bradavon
    • Only.....

      unpatched IE 10.
      Test Subject
      • Versions

        IE 10 has been confirmed. The article implies that it is the only browser/version affected. Also, the article noted using a corrupted flash file which would make me suspect that anyone using certain versions of Flash might also be at risk though it is unconfirmed hypothesis.
        Linux_Lurker
        • YAY!

          IE 11 here on Win 7 Ultimate. Booyah!

          At least for today. Who knows what tomorrow brings?
          harry_dyke
        • Precisely...

          They have only confirmed IE10, but you can do this to any browser of any species by setting permissions for active content incorrectly. I was using IE9 and Adobe Flash back in 2009 when a flash ad delivered one of those "Rogue Antivirus" suites including a rootkit.
          RyuDarragh