Microsoft Fixes IE Zero-Day Flaw, Adobe Repairs Flash Player
Microsoft and Adobe each issued critical security updates impacting critical components in Internet Explorer and Flash Player, respectively, that are favorite targets of attackers.
Redmond, Wash.-based Microsoft fixed 37 vulnerabilities in Internet Explorer, including a publicly disclosed vulnerability used by an organized cybercriminal group suspected of carrying out targeted attacks against a variety of organizations, including a campaign that targeted visitors to the U.S. Veterans of Foreign Wars website in February.
The drive-by attack against the VFW website also targeted an Adobe Flash Player vulnerability, and forensics investigators found that the infiltration of the site exposed the information of up to 55,000 VFW members. The combat veterans association said attackers targeted a website vulnerability and gained access to an underlying Web server containing the names and Social Security numbers of some of its members.
[Related: Microsoft Zero-Day Attacks Tied To Group Responsible For Bit9 Breach]
The attacks, called "Operation Snowman," are tied to a group targeting military, industrial and geopolitical organizations, according to security vendor FireEye. The group took advantage of an ActiveX control that could be triggered to run in Internet Explorer without the user's knowledge. It was used in drive-by attacks against users, according to FireEye, which first detected the zero-day exploit. The information disclosure vulnerability provided enough information to criminals to carry out additional attacks against victims.
The zero-day attacks have been used to check if victims are running antimalware components or Microsoft's Enhanced Mitigation Toolkit (EMET) and can be adapted to bypass the security measures, said Wolfgang Kandek, chief technology officer of vulnerability management vendor Qualys.
"Attackers would exploit these vulnerabilities by crafting a special webpage and host the webpage either at an otherwise innocent site that they gained control over or at special sites set up to attract traffic, typically through Search Engine Poisoning," Kandek said in his analysis of the security updates.
The Internet Explorer security update impacts all currently supported versions of the browser. It was the only critical bulletin in Microsoft's September Patch Tuesday, which included three other bulletins rated important. The software maker plugged a coding error in Windows that could be used in a multistaged attack by criminals to elevate system privileges. A vulnerability in its .Net framework could be used to cause a denial-of-service condition on .Net-enabled websites. Three similar denial-of-service vulnerabilities were repaired in Microsoft Lync Server, which could be used to cause it to crash.
San Jose, Calif.-based Adobe, meanwhile, repaired 12 vulnerabilities in its ubiquitous Flash Player software, including coding errors that could be exploited by an attacker to take complete control of a computer. The update impacts users of Windows, Macintosh, Linux and Android. It also impacts developers using Adobe Air for Windows, iOS and Android.
Solution providers say the monthly patch cycle from Microsoft and Adobe are generally important to their clients and should be addressed as soon as possible.
Businesses are starting to realize that news about multistaged attack campaigns are real and they could be a target, said Kevin Willette, owner of Fridley, Minn.-based solution provider Verus. The threats target end users and then make their way to significant corporate resources and, at the end of the day, organizations want to minimize the impact and be proactive about identifying and addressing bottlenecks and weaknesses, Willette said.
"Business owners are starting to realize that a variety of system components are vulnerable to attack," Willette said. "A multilayered security approach is the best way to reduce your risk from a wide variety of threats."
PUBLISHED SEPT. 10, 2014