IE flaw being actively exploited by hackers who hit Google in 2009 and Microsoft is struggling to offer adequate protection
More websites have been spotted serving up exploits of an unpatched vulnerability in Internet Explorer, used in attacks from the same highly-sophisticated group suspected to have hit Google in the famous Aurora attacks of 2009/10.
The zero-day vulnerability caused panic at the start of the year, leading Microsoft to rush out a Fix It solution whilst it works on issuing a proper patch. But at the end of last week, researchers from vulnerability expert Exodus Intelligence said they had easily broken the workaround for Internet Explorer.
Internet Explorer exploited
Researchers found attackers were using the vulnerability in watering hole attacks, where hackers researched targets and compromised websites the victims frequented to serve up exploits via Internet Explorer.
Sophos discovered more sites serving up exploits taking advantage of the remote code execution flaw. One was a website serving the Uyghur people of East Turkestan, who campaign for independence from China. The other was an Iranian oil company, based in Tehran, but Sophos would not give a name, as the site was still carrying an infection.
According to Symantec, a gang known as the Elderwood group is behind the latest IE zero-day attacks. The Elderwood team has been linked to attacks on Google in 2010, as part of a widespread campaign known as Operation Aurora that, the Internet giant alleged, was sponsored by the Chinese government.
The Elderwood collective has shown great skill in finding zero-day flaws, using them to hack into various organisations. In September, Symantec reported the hackers were targeting bodies in the defence industry, using eight zero-day flaws they had uncovered.
The security giant warned the Elderwood Project “seemingly has an unlimited supply of zero-day vulnerabilities”.
Given how sophisticated the Elderwood group is, it would come as no surprise if it has already found a way around the flawed Microsoft fix too. Researchers expect more from the hacker cell in the coming months.
“It has become clear that the group behind the Elderwood Project continues to produce new zero-day vulnerabilities for use in watering hole attacks and we expect them to continue to do so in the New Year,” Symantec wrote in a blog post.
Meanwhile, Microsoft is still scrambling for a proper fix. It told TechWeekEurope it has reached out to Exodus Intelligence on how it broke the workaround solution. But it has not offered any further comment on what is being done to address the issue.
“Until a proper patch is pushed out by Microsoft, Internet Explorer users are potentially at risk from attacks which exploit this vulnerability and should take care to ensure that they have layered defences in place to minimise the risk,” Graham Cluley, senior technology consultant at Sophos, wrote in a blog.
UPDATE: Dustin Childs, group manager for Microsoft Trustworthy Computing, sent the following statement to TechWeekEurope: “We’ve reviewed the information from Exodus and are working on an update, which we will make available to all customers on IE6-8 as soon as it is ready for distribution. In the meantime, the current Fix it, mitigations and workarounds available in Security Advisory 2794220 fully protect against all known active attacks. We also continue to encourage customers to upgrade their browsers to IE9-10, which are not affected by this issue.”
What do you know about online security? Try our quiz and find out!