Software

Microsoft Updates Internet Explorer against Highly Targeted 0day Distributing Pirpi

The patch is up! Microsoft is pushing out an Out of Band (OOB) security update MS14-021 to address the recently disclosed Internet Explorer 0day exploit incidents involving a known, high end threat actor. Cheers to a quick response from such a large vendor on this issue!

The story goes like this. The week of the 20th, attackers known to send very well crafted emails to high value targets made an attempt to redirect folks’ browsers to sites hosting the IE 0day. The goal of the attacks was to deliver a newer version of the years-old Pirpi RAT to compromised, victim systems by taking control of their browsers, and in turn, their systems and networks.

The zero day exploit targeted a memory corruption vulnerability in Internet Explorer. This use-after-free vulnerability (CVE-2014-1776), a type that continues to trouble Microsoft code, was maintained in the mshtml.dll, mshtml.tlb, Microsoft-windows-ie-htmlrendering.ptxml, and Wow64_microsoft-windows-ie-htmlrendering.ptxml code executing in Internet Explorer on all Windows OS. The exploits focused on attacking this code in IE 9 through IE 11.

Researchers previously reported that vgx.dll code was vulnerable, but that is not the code being corrected. The MSRC engineers cleared it up yesterday “we-d like to clarify that VGX.DLL does not contain the vulnerable code leveraged in this exploit.” Unregistering that dll was simply the quickest way to disable related browser functionality. For those of you that unregistered vgx.dll and are applying the update, you will have to re-register the dll: “If you applied the workaround to unregister VGX.DLL, you do not have to undo this workaround before applying the security update. However, the security update will not re-register vgx.dll. See the Workarounds section for the vulnerability for steps on how to re-register vgx.dll.”

208193615The patch itself appears to be pretty large –onx64Windows 7systems running IE 11,it is an approximately16 mbdownload.mshtml.dll is over 20 mb on some versions of IE and the OS, so on some systems, the download may be larger. I haven’t seen any required reboots as a result of the patch yet. Fixes for Internet Explorer version 6 – 8 is being delivered as well for Windows XP SP3 and x64 XP SP2 users.

Now that the patch arrived, it is very important that everyone update. The vulnerability effects mostly all versions of Internet Explorer, on mostly all versions of Windows OS (Windows Update will sort it out for you). Before, it was used in very limited attack volume. According to a recent Microsoft post “The reality is there have been a very small number of attacks based on this particular vulnerability and concerns were, frankly, overblown. Unfortunately this is a sign of the times and this is not to say we don-t take these reports seriously. We absolutely do.” I mostly agree. Security teams just didn’t see it widely used, and we haven’t yet found it used against any of our customer systems. But ItW exploit code has expanded from IE 9 through 11 to attacking Internet Explorer 8 running on Windows XP, also in very limited attack volume.
But, once the update and code is analysed, it can easily be delivered into waiting mass exploitation cybercrime networks. Run Windows Update if you are using a Windows system, and cheers to Microsoft response for delivering this patch to their massive user base quickly.

One final thought, the week is turning out to be a busy one for reponse, as this is the second 0day patch up this week. Note that the Adobe Flash 0day that our guys reported to Adobe and posted earlier this week is unrelated to this IE incident. The targeted Flash 0day watering hole incidents occurred specifically on Syrian websites.

208214278

The Flash components used in the IE 0day attacks were “helper components” to enable evasion of defensive technologies built into newer versions of Internet Explorer and Windows software. Both Flash and Internet Explorer, of course, need to updated.

Microsoft Updates Internet Explorer against Highly Targeted 0day Distributing Pirpi

Your email address will not be published. Required fields are marked *

 

Reports

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

APT trends report Q2 2024

The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox