Elite hacker gang pulls out another IE zero-day from bottomless pocket
Symantec links latest IE vulnerability -- which Microsoft won't patch next week -- to group that's exploited nine zero-days in last two years
Computerworld - An elite hacker group credited last year with having an inexhaustible supply of zero-day vulnerabilities was responsible for digging up and first using the newest unpatched bug in Internet Explorer (IE), a Symantec manager today.
The gang, dubbed "Elderwood" after a source code variable regularly used by the hackers, had been profiled last September by Symantec in a research paper that outlined its strategies as well as its hacking tactics.
Yesterday, Symantec linked Elderwood to the newest IE zero-day, which researchers said last week was being used to attack Windows PCs whose owners visited the Council on Foreign Relations' (CSR) website using IE6, IE7 or IE8. CSR is a high-profile foreign policy think-tank.
Symantec based its conclusion on several factors, including similarities in attack code used both in past exploits and the most recent.
"We analyzed a number of different source files, then cross-referenced them to make our conclusion," Satnam Narang, a manager in Symantec's security response team, said in an interview Friday.
Another clue was the common license of the commercial code packer used to obfuscate Elderwood Flash-based attack files, those definitely attributed to the gang as well as the one Symantec analyzed from the December attacks.
Narang acknowledged that it was possible others beside Elderwood could have gone so far as to spoof the packer licensee, but thought it very unlikely.
By Symantec's count, Elderwood uncovered and used eight zero-days, all in either IE or Adobe's Flash Player, in a 20-month stretch from 2010 through the fall of 2012, including four in a 16-week stretch last year. The newest IE vulnerability, now assigned the identifier CVE-2012-4792, is then the ninth.
The appearance of CVE-2012-4792 does bolster Symantec's assertion last year that Elderwood has an unlimited supply of zero-days, or the technical skills to root out new ones as it exhausts others in attacks that eventually go public. "They've been churning out zero-days," Narang said today, "and we certainly expect this to continue."
Although Microsoft has promised to patch the CVE-2012-4792 in the older versions of IE -- IE9 and IE10 are unaffected -- it has expressed little desire to push out an emergency fix. Next week's Patch Tuesday will not include an IE update, and experts do not expect the company to issue an "out-of-band" patch between then and February's regularly-scheduled security updates.
In lieu of a patch, Microsoft has offered an automated "Fixit" workaround to protect customers. But according to Exodus Intelligence, that workaround is not a foolproof defense.
"After less than a day of reverse engineering, we found that we were able to bypass the [Fixit] and compromise a fully-patched system with a variation of the exploit we developed earlier this week," said the company in a Friday blog post.
Microsoft's hand may be forced if recent online reports are accurate. Those reports, citing researchers who said they have spotted exploits of the IE bug being served by other compromised websites, may indicate an uptick in the number of attacks, often a factor in whether Microsoft issues an emergency update.
Narang was unable to confirm the additional attack sources, or say whether Elderwood was behind them.
Attack code, however, has been public since Saturday, Dec. 29, when a module was added to the open-source Metasploit penetration testing framework, a tool used by legitimate researchers and cyber criminals alike.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Is Your Big Data Solution Production-Ready? Read "Is Your Big Data Solution Production-Ready?" now, and discover best practices and actionable steps to implementing a production-ready big data solution.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Malware and Vulnerabilities White Papers | Webcasts