What you need to know about the Internet Explorer zero-day attacks Tony Bradley @TheTonyBradley
Sep 18, 2012 10:55 AM print
Microsoft has confirmed reports that a zero-day vulnerability in its Internet Explorer Web browser is being actively attacked in the wild. While Microsoft works diligently to crank out a patch, it’s important for businesses and consumers to understand the threat, and the steps that can be taken to avoid compromise while you wait.
Microsoft has published a security advisory acknowledging the threat. According to Microsoft, the zero-day exploit affects Internet Explorer 7, 8, 9. Internet Explorer 10 is not impacted, but it’s not completely safe because it remains vulnerable to flaws in the embedded Adobe Flash.
The Microsoft advisory includes some tips that can be used to defend against this threat pending a patch for the underlying flaw. Microsoft recommends that customers use the Enhanced Mitigation Experience Toolkit (EMET) to implement mitigations that can prevent the zero-day exploit from working. In addition, Microsoft advises customers to set the Internet and local intranet security zone in Internet Explorer to “High” to block ActiveX controls and Active Scripting from running, or at least configure it to prompt before executing.
Andrew Storms, director of security operations for nCircle, puts the threat in perspective. “If your systems are running IE, you are at risk, but don’t panic. The reality is it’s just one more zero-day and we’ve seen an awful lot of them come and go.”
However, Storms isn’t confident that business customers will appreciate the guidance from Microsoft. “If you set your Internet and local security zones to ‘High’ as recommended to block ActiveX controls and Active Scripting, there’s a very good chance necessary business applications will be adversely affected.”
The Metasploit exploit for the Internet Explorer zero-day relies on the presence of Java on the target system. That means that PCs without Java are safe against the Metasploit-based exploits, and that it might be a great time to reevaluate whether your PCs really need to run Java. If you don’t actually use Java, uninstall it.
Liam O Murchu, manager of operations for Symantec Security Response, adds some interesting trivia. “Another interesting point to note regarding this vulnerability is that the exploit was found on the same servers being used as part of the Nitro attacks. In August, Symantec observed that the cybercriminals behind this ongoing targeted attack campaign, which initially targeted companies in the chemical industry, had ramped up their efforts with several new techniques and a Java zero-day vulnerability.”
Essentially, if you can remove Java you should do so. Regardless of Java, though, businesses and consumers alike should always be vigilant about ActiveX controls or Active Scripting executing within the browser and take steps to guard against malicious code.
Malicious code apparently used by governments to spy on, harass, and sabotage one another has grabbed headlines in recent years, yet the highly targeted nature of such attacks have meant ordinary Web users have so far had little to fear. That may now be changing as some experts say the techniques used in sophisticated, state-backed malware are trickling down to less-skilled programmers who target regular Web users and their online accounts or credit card details.
"Cybercriminals read the news as well," says Roel Schouwenberg, a security researcher with Russian computer security company Kaspersky. Schouwenberg adds that sophisticated, state-sponsored "cyberweapons and targeted attacks now give us some insight into what will be coming into the mainstream."
State-sponsored malware became widely known in 2010 with the discovery of Stuxnet, a program targeted at Iranian industrial control systems and believed to have been sponsored by Israel and the United States (see "New Malware Brings Cyberware One Step Closer"). Since then, several other very sophisticated malware packages have been discovered that are also believed to have been made by governments or government contractors. These packages include Duqu, exposed late in 2011, and Flame, found in May 2012.
One reason such malware is so effective is that it tends to exploit previously unknown software vulnerabilities, known as zero-days, in widely used programs such as Microsoft Windows to gain control of a computer. Schouwenberg says those exploits can be quickly "copy-pasted" by other programmers, as happened after the discovery of Stuxnet, but they are also usually patched relatively quickly by software companies. More concerning is the way that higher-level design features are being picked up, he says.
"They are copying the design philosophy," says Schouwenberg, adding that one now-popular technique found in conventional "criminal malware" was inspired by the discovery of Stuxnet. For example, Stuxnet installed fake device drivers using digital security certificates stolen from two Taiwanese computer component companies, allowing them to sneak past any security software. Other malware now uses fake certificates in a similar way to hide malicious software from antivirus programs.
"Stuxnet was the first really serious malware with a stolen certificate, and it's become more and more common ever since," says Schouwenberg. "Nowadays you can see use of fake certificates in very common malware."
Aviv Raff, chief technology officer and cofounder of Israeli computer security firm Seculert, agrees. "Design features of Stuxnet, Duqu, and Flame are appearing in opportunistic criminal malware," he says.
Schouwenberg says he is currently on the lookout for tricks used in the recently discovered Flame, described by some researchers as the "most complex ever found" (see "The Antivirus Era is Over"), to surface in more common malware.
Flame had a modular design, enabling its operators to send upgraded parts as necessary, for example to perform particular actions or attacks. "I think we will definitely see more of that approach," says Schouwenberg, who believes it might be an attractive way for malware authors to sell their work to others. "It provides an up-sell opportunity for these guys if they can sell something, and then offer upgrade kits to improve it later."
Schouwenberg says that a modular design also makes malware harder for security companies to track a particular piece of malware. "When they only upload the modules to specific targets, it's much harder to get all the components and see and know all of it."
Sean Sullivan, a researcher at Finnish security company F-Secure, agrees that this is a good way to understand the way common cyber criminals build technology. "Criminals operate in a highly commoditized 'malware as a service' ecosystem. They buy components and assemble them into their operation. Like a business, they optimize for profit," he says.
However, Sullivan also notes that many cyber criminals have invested in their own code, and can't dedicate resources on the scale of a government contractor or agency.
"The operational security required by those behind Stuxnet, Flame, etc. means that they simply cannot outsource anything, they must do everything from start to finish," says Sullivan, "which is a heavy investment and certainly isn't anything close to being profitable."
But Schouwenberg says the influx of expensively developed new ideas into criminal malware will likely increase in coming years. Government agencies and contractors around the world now openly advertise for programmers with the skills needed to create sophisticated malware, he says, suggesting there are more Stuxnets, Duqus, and Flames to come. "That's a major shift from just a few years ago," he says.
Market Data 
Markets 
AI
