14 DAY TRIAL // FireEye Labs has discovered a new security flaw in Internet Explorer, warning that users of both Windows XP and Windows 7 are vulnerable to attacks when visiting a compromised website.
Researchers at the security company FireEye said that cybercriminals were trying to exploit two different vulnerabilities in their attacks, explaining that Internet Explorer users on both Windows XP and Windows 7 were exposed when loading a malicious website.
First of all, Internet Explorer has an information disclosure vulnerability used to “retrieve the timestamp from the PE headers of msvcrt.dll,” according to the company.
“The timestamp is sent back to the attacker’s server to choose the exploit with an ROP chain specific to that version of msvcrt.dll. This vulnerability affects Windows XP with IE 8 and Windows 7 with IE 9,” it noted.
The second one is a memory access vulnerability that’s aimed at the English versions of IE7 and 8 on Windows XP and on Windows 7.
“This exploit has a large multi-stage shellcode payload. Upon successful exploitation, it will launch rundll32.exe (with CreateProcess), and inject and execute its second stage (with OpenProcess, VirtualAlloc, WriteProcessMemory, and CreateRemoteThread). The second stage isn’t written to a file as with most common shellcode, which usually downloads an executable and runs it from disk,” FireEye also mentioned in a security advisory.
Microsoft will most likely skip this new zero-day flaw on Patch Tuesday, as it doesn’t have the time to prepare such an update, but FireEye says that it’s already working with Redmond on addressing these new vulnerabilities.
It turns out however that cybercriminals are already using the zero-day to launch attacks, as the same security company warns that there are signs that Operation DeputyDog was based on a similar scheme exploiting an Internet Explorer flaw.
“The attackers loaded the payload used in this attack directly into memory without first writing to disk – a technique not typically used by advanced persistent threat (APT) actors. This technique will further complicate network defenders’ ability to triage compromised systems, using traditional forensics methods,” the company noted.
We’ve reached out to Redmond to find more information on this, so we’ll update the article as soon as we get an answer.