Microsoft patches critical IE bug that was under attack for nearly three years

Microsoft has decided that an Internet Explorer bug it knew of last year was in fact worth patching.
Written by Liam Tung, Contributing Writer

The Internet Explorer bug has been used by several gangs behind the spread of malicious ads.

Image: Microsoft

Microsoft has plugged 94 holes as part of its September security updates, including dozens of remote code execution flaws and a once-ignored critical bug in Internet Explorer that is now being used by criminals.

The fix, released by Microsoft on Tuesday, addresses a critical information disclosure bug in Internet Explorer (IE) that, according to independent malware researcher Kafeine, was first reported to Microsoft in 2015 but wasn't acted on, possibly because Microsoft didn't consider it critical.

The fix for the flaw comes this month after security firms Proofpoint and TrendMicro reported it a second time, with evidence that it is being exploited by criminals.

Labelled as CVE-2016-3351, the IE bug has been part of an arsenal used by several gangs responsible for littering online ad networks with malicious ads that lead victims to ransomware. It has been exploited in automated attacks on the web since as early as January 2014.

According to Kafeine, one of the exploit's functions is to avoid tools used by security researchers to detect and analyze malware. It has also been used to infect end-user systems over the web. But, as Microsoft notes, an attacker needed to trick a victim into clicking a link to an attack site.

Kafeine said criminals are increasingly exploiting non-critical bugs and low-level vulnerabilities that may remain unpatched for months or years.

"In this case, the AdGholas group used such a bug specifically to avoid detection by researcher and vendor automated systems and thus stay below the radar even while they conducted a massive, long-running malvertising operation," Kafeine wrote.

Of the 14 bulletins in this month's update, 10 address remote code execution flaws, while two address elevation of privilege bugs and two fix information disclosure issues.

Security firm Rapid 7's analysis highlights six bulletins that consumers and enterprise should be wary of. These cover 60 critical vulnerabilities affecting Internet Explorer, Edge for Windows 10, the Windows kernel, Office, the Windows PDG library, and Adobe Flash Player for Windows, Internet Explorer, and Edge.

Adobe yesterday also released its Patch Tuesday fixes for Flash Player on Linux, Mac and Windows. The update addresses 26 critical vulnerabilities. Adobe initially said 29 bugs were fixed, but later removed them from its bulletin, noting they were inadvertently included.


Editorial standards