Microsoft Updates Internet Explorer against Highly Targeted 0day Distributing Pirpi

The patch is up! Microsoft is pushing out an Out of Band (OOB) security update MS14-021 to address the recently disclosed Internet Explorer 0day exploit incidents involving a known, high end threat actor. Cheers to a quick response from such a large vendor on this issue!

The story goes like this. The week of the 20th, attackers known to send very well crafted emails to high value targets made an attempt to redirect folks’ browsers to sites hosting the IE 0day. The goal of the attacks was to deliver a newer version of the years-old Pirpi RAT to compromised, victim systems by taking control of their browsers, and in turn, their systems and networks.

The zero day exploit targeted a memory corruption vulnerability in Internet Explorer. This use-after-free vulnerability (CVE-2014-1776), a type that continues to trouble Microsoft code, was maintained in the mshtml.dll, mshtml.tlb, Microsoft-windows-ie-htmlrendering.ptxml, and Wow64_microsoft-windows-ie-htmlrendering.ptxml code executing in Internet Explorer on all Windows OS. The exploits focused on attacking this code in IE 9 through IE 11.

Researchers previously reported that vgx.dll code was vulnerable, but that is not the code being corrected. The MSRC engineers cleared it up yesterday “we-d like to clarify that VGX.DLL does not contain the vulnerable code leveraged in this exploit.” Unregistering that dll was simply the quickest way to disable related browser functionality. For those of you that unregistered vgx.dll and are applying the update, you will have to re-register the dll: “If you applied the workaround to unregister VGX.DLL, you do not have to undo this workaround before applying the security update. However, the security update will not re-register vgx.dll. See the Workarounds section for the vulnerability for steps on how to re-register vgx.dll.”

The patch itself appears to be pretty large –onx64Windows 7systems running IE 11,it is an approximately16 mbdownload.mshtml.dll is over 20 mb on some versions of IE and the OS, so on some systems, the download may be larger. I haven’t seen any required reboots as a result of the patch yet. Fixes for Internet Explorer version 6 – 8 is being delivered as well for Windows XP SP3 and x64 XP SP2 users.

Now that the patch arrived, it is very important that everyone update. The vulnerability effects mostly all versions of Internet Explorer, on mostly all versions of Windows OS (Windows Update will sort it out for you). Before, it was used in very limited attack volume. According to a recent Microsoft post “The reality is there have been a very small number of attacks based on this particular vulnerability and concerns were, frankly, overblown. Unfortunately this is a sign of the times and this is not to say we don-t take these reports seriously. We absolutely do.” I mostly agree. Security teams just didn’t see it widely used, and we haven’t yet found it used against any of our customer systems. But ItW exploit code has expanded from IE 9 through 11 to attacking Internet Explorer 8 running on Windows XP, also in very limited attack volume.
But, once the update and code is analysed, it can easily be delivered into waiting mass exploitation cybercrime networks. Run Windows Update if you are using a Windows system, and cheers to Microsoft response for delivering this patch to their massive user base quickly.

One final thought, the week is turning out to be a busy one for reponse, as this is the second 0day patch up this week. Note that the Adobe Flash 0day that our guys reported to Adobe and posted earlier this week is unrelated to this IE incident. The targeted Flash 0day watering hole incidents occurred specifically on Syrian websites.

The Flash components used in the IE 0day attacks were “helper components” to enable evasion of defensive technologies built into newer versions of Internet Explorer and Windows software. Both Flash and Internet Explorer, of course, need to updated.