Unpatched Internet Explorer vulnerability details emerge

Unpatched Internet Explorer vulnerability details emerge

Summary: The same gang that compromised whitelisting security vendor Bit9 many months ago appears responsible for a targeted campaign in Japan using an unexploited vulnerability in Internet Explorer.

SHARE:
TOPICS: Security
6

We know a lot more about the unpatched vulnerability in Internet Explorer that Microsoft announced last week. Microsoft released a great deal of technical detail on it, and now network security firm FireEye has details on the targeted attacks that employed it.

When Microsoft initially disclosed the vulnerability they simultaneously provided a "Fix it" patch to mitigate it. A later TechNet blog on the vulnerability and patch goes into unusual detail about the vulnerable code and how the Fix it works.

The point of the exploit in Internet Explorer was in fact to load and exploit a Microsoft Office DLL, hxds.dll - identified as "Microsoft Help Data Services Module", which was compiled without ASLR (Address Space Layout Randomization) turned on. ASLR is a program build technique that randomizes the locations of different parts of the program in memory in order to block an exploit technique known as ROP for Return-Oriented Programming (a.k.a. "return to libc"). By loading hxds.dll through the exploit, the attackers were able to gain control of execution and run their attack. The TechNet blog goes on with more detail about how the Fix it works and how to use EMET 4.0 to mitigate.

Microsoft does not give any information on when a patch will be available to address the vulnerability or if it will include a copy of hxds.dll that is built with ASLR.

Meanwhile, Fireeye has discovered that this vulnerability was use to target organizations in Japan, going back perhaps more than a month and appear to be the work of the same group that compromised whitelisting company Bit9 earlier this year in order to facilitate other attacks. FireEye has labeled the campaign "Operation DeputyDog" after a string found in the payload.

FireEye provides details sufficient to allow security admins to identify and block attacks.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

6 comments
Log in or register to join the discussion
  • why is that no surprise?

    oh yes, because it's the continuation of practice that is 20 years old.
    ljenux
  • lol

    "Microsoft does not give any information on when a patch will be available to address the vulnerability or if it will include a copy of hxds.dll that is built with ASLR."

    they have no idea how to fix it. now that is even less suprise because it's continuation of practice that is 35 years old
    ljenux
  • It's not an IE problem, Old IE runs fine on Linux.

    As always, it's a Windows OS issue.

    It seems like blaming IE is just "Diluting" the blame. I can run old IE on Linux (using Wine) without security issues. Blaming Firefox and Chrome for security issues falls into the same category. No application is going to protect a faulty OS.

    http://smetona.net/Zdnet/IE_on_Linux.png
    Joe.Smetona
    • People don't have to needlessly suffer with Windows anymore.

      AV is not necessary on a secure OS. Microsoft can't get away from using AV, or blaming applications for core OS issues.
      Joe.Smetona
      • Yeah, Linux-based sites are never defaced, either.

        There's no need to worry about any security issues on Linux. (According to Linux fanboys.)
        blu_vg@...
    • Oh, you mean secure like Linux-based Android?

      Oh, wait, it's not. And it never was.

      Nice try to distort the issue by claiming that running IE in an API translator is the same as running on the native platform, though.
      blu_vg@...