Microsoft: Don't Be Fooled By The Cool Exploit Kit


Microsoft issued a warning and detailed analysis of the Cool Exploit Kit, an automated attack toolkit that surfaced in January targeting Java, Windows and Adobe software vulnerabilities.

The Microsoft warning, issued Tuesday on the company's Malware Protection Center blog, also analyzes an Internet Explorer flaw that can be targeted by users of the toolkit. The vulnerability, which enables attackers to bypass security restrictions, was used during last year's Pwn2Own competition held by HP-TippingPoint's Zero-Day Initiative.

The flaw, which affects all supported versions of Internet Explorer, was patched by Microsoft in June. It is being used sporadically, but it can be leveraged to target a broader range of victims, wrote Microsoft malware researcher Justin Kim.

[Related: Microsoft Acknowledges Internet Explorer Zero-Day Used In Website Attack]

"Although there is currently a low prevalence for this update in Cool EK, it is expected that it will propagate soon," Kim wrote. "It is often stealthed and not visible to Web surfers, so caution is required when visiting unfamiliar websites."

Security researchers believe the Cool automated attack toolkit was created by the same author of the widely used Black Hole toolkit, which has been available for about three years and is often cited as the fuel behind most attacks targeting Web applications. When Cool was made available it was reportedly selling at a premium $10,000 monthly fee and its authors said the kit would contain highly sought after exploits that target zero-day vulnerabilities.

Cool contains about six exploits, including one that targets a Java zero-day vulnerability. It forced Oracle to rush out an emergency security update in January to correct the flaw. The latest exploits targeting Java can bypass older sandbox restrictions that are used for protection.

According to exploit kit statistics released by F-Secure, a security firm based in Finland, Black Hole, Cool and another kit called Sweet Orange make up 56 percent of the attacks driven by automated toolkits. Black Hole takes up 27 percent coverage, F-Secure said.

If the Cool exploit toolkit increases in use it could also be used to stage drive-by attacks targeting groups of individuals in watering-hole-style campaigns, said security researchers. Shane Shook, global vice president of consulting at security intelligence startup Cylance, told CRN that watering-hole attacks are not widespread, but their numbers are on the rise.

"As more and more technologies are coming out for individuals to protect email and Web browsing experiences, the one remaining soft target is the Web servers themselves," Shook said.

PUBLISHED MAY 8, 2013