This week's zero-day threat involving multiple versions of Internet Explorer may frequently leverage the presence of Java on the infected machine.
The memory corruption vulnerability, which was acknowledged on Monday by Microsoft, impacts versions 7, 8 and 9 of Internet Explorer; however, version 10, the most recent rev, appears to be unaffected at this point.
It is possible that the current attack is being run by the same group that has been using a widely-publicized Java vulnerability, given that researchers have found that the Metasploit-based version of the attack uses Java as a means of supporting the deployment of Poison Ivy malware, a remote administration tool.
According to Marc Maiffret, CTO at BeyondTrust, the attack currently being executed into the wild begins with a malicious website that determines which version of IE the host system is running. It then loads additional software to perform a heap spray and load an iframe. Protect.html is then loaded to trigger the vulnerability, at which point Poison Ivy is downloaded. A successful exploit leads to the ability to execute remote code.
"You essentially need to get a bunch of your attacker-supplied code loaded into memory on Internet Explorer," explained Maiffret. "You can do that through leveraging something like Flash, or in the case of the Metasploit attack, they're using Java. So, it's interesting to note that if you don't have Java, you're not vulnerable to this as a Metasploit attack.
Maiffret continued, "You allocate a whole bunch of memory, and when you leverage the vulnerability, you point the execution of the software back to the memory that you allocated, which has are malicious code. This is about bypassing the memory protections in Windows 7 in order to make the exploit work."
Windows has protections around predictable memory addresses. Java satisfies this requirement in the Microsoft software and thereby helps to enable the attack. At this point, Java has been most closely linked to the Metasploit version of the attack, according to Maiffret.
The attack comes on the heels of Microsoft's September Patch Tuesday, sparking initial concerns that IE users might have to wait three weeks for a patch. But on Tuesday afternoon, Yunsun Wee, director of Microsoft Trustworthy Computing, issued a statement indicating that a patch would be available "in the next few days."
"Given what we are seeing in the news, the level of discomfort in IT and the fact that we have active exploits going on, I'm sure there's a big push at Microsoft to get this out sooner than later," said Andrew Storms, director of security operations for nCircle. "This is aimed at IE 9 through six, which probably represents about 90 percent of the IE market, if not more. IE 10 does not seem to be vulnerable to this. We're not sure why, but I suspect it's a case where it was already found and fixed."
NEXT: Two Stopgap MeasuresDuring the interim, Microsoft is recommended two stopgap measures. The first recommendation involves setting security levels for both the Internet zone and the local zone to high. The objective is to discontinue ActiveX controls and Active Scripting on the machine.
"Running the Internet zone like that is generally fine and a good idea," said nCircle's Storms. "But putting the local zone into a high-security mode generally comes with some unexpected consequences. Some business applications may not function correctly with that setting because they generally use things like ActiveX scripting."
Microsoft's second piece of advice is to use the company's Enhanced Mitigation Experience Toolkit (EMET), which it believes could block most of the attacks without adverse impacts elsewhere on the system. According to BeyondTrust’s Maiffret, preliminary testing indicates that this countermeasure is successful in at least some scenarios.
And, prompt response is advised. With the exploit now integrated into Metasploit and similar kits, the attack vector becomes much more inviting to a much wider range of cyber criminals.
"The last few zero days we've seen have been quickly added into the everyday exploit toolkits," said Maiffret. "When these things are used in targeted attacks, they typically impact a limited number of companies. But, once they are in the kits, the fallout can be a lot worse. We're now in a situation where basically anyone can do it. It's point and click easy."
PUBLISHED SEPT. 18, 2012
This story was updated on Sept. 18, 2012, at 5:00 p.m. PST, in order to note that Yunsun Wee, director of Microsoft Trustworthy Computing, issued a statement Tuesday afternoon indicating that a patch would be available "in the next few days."