Microsoft Update Fixes Serious Internet Explorer Zero-Day


Microsoft is addressing a serious Internet Explorer zero-day that was being actively exploited in a targeted attack against U.S. military personnel.

Microsoft addressed the serious coding error in its March 2014 Patch Tuesday. Researchers at security vendor FireEye detected attacks using the zero-day exploit against visitors to the U.S. Veterans of Foreign Wars website. The attacks were associated with two previous zero-day attack campaigns conducted by the same cybercriminal organization, FireEye said. The targeted attack technique used by the group is called a watering-hole campaign because it targets victims likely to visit a certain website.  

The memory corruption flaw is one of 18 critical vulnerabilities Microsoft repaired this month in Internet Explorer. Microsoft said the vulnerabilities could allow remote code execution and is used in drive-by attacks against users of the Microsoft browser. The bulletin affects all currently supported versions of Internet Explorer, including IE 11 running on Windows 8.1 and RT devices. A closely related Microsoft DirectShow bulletin addresses a critical flaw and is also exploitable through Internet Explorer. It impacts all supported versions of Windows and can be exploited remotely.

[Related: Critical Adobe Flash Update Indicative Of Unrelenting Web Attacks]

Web application attacks are a favorite attack vector for cybercriminals, because they are fairly easy to find using automated attack toolkits. Solution providers tell CRN that businesses often have significant problems addressing Web application vulnerabilities that enable attackers to set up drive-by attacks.

Organizations need to conduct regular website monitoring for changes that are not consistent with the business' normal publishing schedule, said Peter Hesse, president and founder of Chantilly, Va.-based solution provider Gemini Security Solutions. Businesses that aren't proactive risk getting blacklisted by Google and other search engines for serving up malware, which erodes search-engine optimization, Hesse said.  

"It's unrealistic to say that we can prevent every kind of vulnerability, but it is important to be in front of it and constantly scanning to notice if something changes," Hesse said. "You need to take action before Google takes action on your behalf."

WordPress and other content-management platforms have plugins that can monitor for suspicious changes that could signal a threat, Hesse said. Vendors specializing in web security or vulnerability management have the features and offer more capabilities. They include Lumension, Qualys, Sucuri and WhiteHat Security, among others.

Microsoft also has issued three other bulletins addressing flaws in Silverlight, its Windows Kernel-Mode Driver and Security Account Manager Remote Protocol. The updates are rated important.

In addition to the Microsoft updates, system administrators also were given patches from Adobe Systems on Tuesday. Adobe repaired two flaws in Flash Player rated important. It is the second time in less than a month that the software maker pushed out repairs for the software. In February, the firm issued an emergency out-of-band update, fixing three Flash Player vulnerabilities targeted by attackers.

Businesses are consistently failing at security when they roll out web applications or add new web-based functionality for users, said Wolfgang Kandek, chief technical officer at vulnerability management vendor Qualys. When a cross-site scripting vulnerability, or other common coding error, is discovered, it could be months of exposure time before the development team addresses it, Kandek said.

"Web applications are at the maturity level that infrastructure was at 10 years ago," Kandek said. "Many organizations build something, and once it is running and it works normally, it is never maintained." 

PUBLISHED MARCH 11, 2014