Unpatched Internet Explorer vulnerability details emerge

The same gang that compromised whitelisting security vendor Bit9 many months ago appears responsible for a targeted campaign in Japan using an unexploited vulnerability in Internet Explorer.
Written by Larry Seltzer, Contributor

We know a lot more about the unpatched vulnerability in Internet Explorer that Microsoft announced last week. Microsoft released a great deal of technical detail on it, and now network security firm FireEye has details on the targeted attacks that employed it.

When Microsoft initially disclosed the vulnerability they simultaneously provided a "Fix it" patch to mitigate it. A later TechNet blog on the vulnerability and patch goes into unusual detail about the vulnerable code and how the Fix it works.

The point of the exploit in Internet Explorer was in fact to load and exploit a Microsoft Office DLL, hxds.dll - identified as "Microsoft Help Data Services Module", which was compiled without ASLR (Address Space Layout Randomization) turned on. ASLR is a program build technique that randomizes the locations of different parts of the program in memory in order to block an exploit technique known as ROP for Return-Oriented Programming (a.k.a. "return to libc"). By loading hxds.dll through the exploit, the attackers were able to gain control of execution and run their attack. The TechNet blog goes on with more detail about how the Fix it works and how to use EMET 4.0 to mitigate.

Microsoft does not give any information on when a patch will be available to address the vulnerability or if it will include a copy of hxds.dll that is built with ASLR.

Meanwhile, Fireeye has discovered that this vulnerability was use to target organizations in Japan, going back perhaps more than a month and appear to be the work of the same group that compromised whitelisting company Bit9 earlier this year in order to facilitate other attacks. FireEye has labeled the campaign "Operation DeputyDog" after a string found in the payload.

FireEye provides details sufficient to allow security admins to identify and block attacks.

Editorial standards