Data Loss Prevention (DLP) , Governance & Risk Management , Next-Generation Technologies & Secure Development
Zero-Day Attacks Pummel IE, Flash
Microsoft Patches IE, But Adobe's Flash Fix Still ForthcomingUpdate (May 12): Adobe has released a fix for the Flash flaw, in the form of an updated version of Flash, and warned that "an exploit for CVE-2016-4117 exists in the wild."
See Also: Live Webinar | Crack Australia’s Code on Ransomware: Empowering Your Last Line of Defence
Attackers have been exploiting separate zero-day vulnerabilities present in recent versions of Internet Explorer as well as the Adobe Flash browser plug-in software.
On May 10, Microsoft released a patch for supported versions of Internet Explorer, which fixes the flaw. But Adobe has yet to release an updated version of Flash to fix its zero-day vulnerability, although says it may do so this week.
Before Microsoft released its IE fix, attackers were already exploiting the browser's zero-day flaw - designated CVE-2016-0189 - "in limited targeted attacks that affected South Korea," Symantec's Security Response team says in a blog post. All recent versions of Internet Explorer - IE9, IE10 and IE11 - are at risk from the remote memory-corruption vulnerability, which affects a scripting engine built into the browser.
In addition, "In certain Windows versions, the vulnerable scripting engine is also packaged separately from the browser," says Jonathan Leopando, a technical communications specialist with Trend Micro, in a blog post. Those vulnerable scripting engines - Microsoft JScript 5.8 and Microsoft VBScript 5.7 and 5.8 - were also patched May 10 by Microsoft.
"Attackers can exploit this issue by enticing an unsuspecting user to view a specially crafted web page" that exploits the flaw "to execute arbitrary code in the context of the currently logged-in user," according to a vulnerability analysis published by Symantec. "Failed attacks will cause denial-of-service conditions."
But while IE11 is still supported by Microsoft, the software giant ceased supporting IE10 - as well as IE9 and IE8 - on January 12, unless organizations purchased an extended-service contract.
Symantec says the attack is a reminder that all software should be run with "non-privileged user" settings that carry "minimal access rights," to reduce the potential impact of these types of zero-day flaws.
Microsoft says that there are no specific workarounds to mitigate the zero-day flaw, but notes that running its Enhanced Mitigation Experience Toolkit, which is designed to prevent software vulnerabilities in Windows from being exploited, can help block related attacks (see 5 Secrets to Security Success).
Attack's Origin and Purpose Unclear
Symantec says it's not clear who launched these zero-day attacks or how. But it suspects that either spear-phishing emails or watering hole attacks - compromising a legitimate site - were used to redirect victims to a website that hosted a related exploit page.
Here's how the attack unfolded: "The exploit's landing page contained JavaScript code that profiled the computer belonging to the user visiting the site. The code checked to see if the computer was a virtual machine, and determined which version of Internet Explorer, Flash and Windows was running on the computer," Symantec says. "This information was then sent back to a website with South Korea's top-level domain (TLD), .co.kr, in the URL," followed by the JavaScript code delivering the exploit in the form of "an obfuscated VBScript file." If the exploit succeeded, it downloaded - or dropped - a malicious file obtained from another, unspecified website with a ".co.kr" domain name.
Despite tracing how the attack unfolded, however, Symantec says it's still not clear what malicious file or files attackers ultimately installed on affected systems, or what their goals may have been. "The final payload is unknown at this time," it says. "Symantec is continuing to investigate this attack and will provide updates when available."
Microsoft: 16 Security Bulletins
Including the zero-day fix, Microsoft on May 10 issued a slew of monthly security updates. They include 16 security bulletins and patch a total of 51 different flaws. Half of the bulletins - covering such software as the Microsoft Edge browser that's replaced IE, Microsoft Office, plus the Microsoft Graphics Component and Windows Shell built into the Windows operating system - are rated "critical," meaning they could be remotely exploited to run arbitrary code and potentially seize full control of a victim's PC.
But one-third of the flaws patched by Microsoft relate to Adobe Flash. "Since Flash is embedded in Microsoft's IE and Edge browsers, Microsoft started including Adobe patches as a part of their own patch cycle last month," Karl Sigler, threat intelligence manager at security firm Trustwave, says in a blog post. "These vulnerabilities in Flash are rated 'critical' and it's surely just a matter of time before they get imported into popular exploit kits."
Beyond the critical vulnerabilities, "one bulletin to look out for is MS16-065, an update for .NET Framework," he adds. "Despite the rating as 'important' this vulnerability permits a man-in-the-middle attack on SSL/TLS traffic that can allow for full decryption of an existing session."
Adobe Flash: Waiting for Patch
Also on May 10, Adobe issued a security alert for an unspecified, critical vulnerability - designated CVE-2016-4117 - that exists in Adobe Flash Player 21.0.0.226 and earlier versions running on Windows, Apple OS X, Linux or Chrome OS. "Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system," Adobe says.
Adobe says the flaw was discovered by Genwei Jiang, a research engineer at threat-intelligence firm FireEye, and is being actively exploited "in the wild." Adobe says that it "will address this vulnerability in our monthly security update, which will be available as early as May 12."
One concern with Flash flaws is that because of the plug-in software's wide installation base - and many users failing to keep the software updated - it's become a favorite of attackers, including exploit-kit writers and ransomware rings (see Emergency Flash Patch Battles Ransomware).
In the wake of Adobe's regular warnings over fresh zero-day flaws being discovered in Flash, security experts regularly remind users that they should at least enable "click to play," so that automated exploits can't subvert vulnerable versions of Flash to automatically seize control of their PCs. For any users that can live without Flash, many security experts recommend deleting the plug-in (see 2016 Resolution: Ditch Flash).