Elite hacker gang pulls out another IE zero-day from bottomless pocket
Symantec links latest IE vulnerability -- which Microsoft won't patch next week -- to group that's exploited nine zero-days in last two years
Computerworld - An elite hacker group credited last year with having an inexhaustible supply of zero-day vulnerabilities was responsible for digging up and first using the newest unpatched bug in Internet Explorer (IE), a Symantec manager today.
The gang, dubbed "Elderwood" after a source code variable regularly used by the hackers, had been profiled last September by Symantec in a research paper that outlined its strategies as well as its hacking tactics.
Yesterday, Symantec linked Elderwood to the newest IE zero-day, which researchers said last week was being used to attack Windows PCs whose owners visited the Council on Foreign Relations' (CSR) website using IE6, IE7 or IE8. CSR is a high-profile foreign policy think-tank.
Symantec based its conclusion on several factors, including similarities in attack code used both in past exploits and the most recent.
"We analyzed a number of different source files, then cross-referenced them to make our conclusion," Satnam Narang, a manager in Symantec's security response team, said in an interview Friday.
Another clue was the common license of the commercial code packer used to obfuscate Elderwood Flash-based attack files, those definitely attributed to the gang as well as the one Symantec analyzed from the December attacks.
Narang acknowledged that it was possible others beside Elderwood could have gone so far as to spoof the packer licensee, but thought it very unlikely.
By Symantec's count, Elderwood uncovered and used eight zero-days, all in either IE or Adobe's Flash Player, in a 20-month stretch from 2010 through the fall of 2012, including four in a 16-week stretch last year. The newest IE vulnerability, now assigned the identifier CVE-2012-4792, is then the ninth.
The appearance of CVE-2012-4792 does bolster Symantec's assertion last year that Elderwood has an unlimited supply of zero-days, or the technical skills to root out new ones as it exhausts others in attacks that eventually go public. "They've been churning out zero-days," Narang said today, "and we certainly expect this to continue."
Although Microsoft has promised to patch the CVE-2012-4792 in the older versions of IE -- IE9 and IE10 are unaffected -- it has expressed little desire to push out an emergency fix. Next week's Patch Tuesday will not include an IE update, and experts do not expect the company to issue an "out-of-band" patch between then and February's regularly-scheduled security updates.
In lieu of a patch, Microsoft has offered an automated "Fixit" workaround to protect customers. But according to Exodus Intelligence, that workaround is not a foolproof defense.
"After less than a day of reverse engineering, we found that we were able to bypass the [Fixit] and compromise a fully-patched system with a variation of the exploit we developed earlier this week," said the company in a Friday blog post.
Microsoft's hand may be forced if recent online reports are accurate. Those reports, citing researchers who said they have spotted exploits of the IE bug being served by other compromised websites, may indicate an uptick in the number of attacks, often a factor in whether Microsoft issues an emergency update.
Narang was unable to confirm the additional attack sources, or say whether Elderwood was behind them.
Attack code, however, has been public since Saturday, Dec. 29, when a module was added to the open-source Metasploit penetration testing framework, a tool used by legitimate researchers and cyber criminals alike.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts