Elite hacker gang pulls out another IE zero-day from bottomless pocket
Symantec links latest IE vulnerability -- which Microsoft won't patch next week -- to group that's exploited nine zero-days in last two years
Computerworld - An elite hacker group credited last year with having an inexhaustible supply of zero-day vulnerabilities was responsible for digging up and first using the newest unpatched bug in Internet Explorer (IE), a Symantec manager today.
The gang, dubbed "Elderwood" after a source code variable regularly used by the hackers, had been profiled last September by Symantec in a research paper that outlined its strategies as well as its hacking tactics.
Yesterday, Symantec linked Elderwood to the newest IE zero-day, which researchers said last week was being used to attack Windows PCs whose owners visited the Council on Foreign Relations' (CSR) website using IE6, IE7 or IE8. CSR is a high-profile foreign policy think-tank.
Symantec based its conclusion on several factors, including similarities in attack code used both in past exploits and the most recent.
"We analyzed a number of different source files, then cross-referenced them to make our conclusion," Satnam Narang, a manager in Symantec's security response team, said in an interview Friday.
Another clue was the common license of the commercial code packer used to obfuscate Elderwood Flash-based attack files, those definitely attributed to the gang as well as the one Symantec analyzed from the December attacks.
Narang acknowledged that it was possible others beside Elderwood could have gone so far as to spoof the packer licensee, but thought it very unlikely.
By Symantec's count, Elderwood uncovered and used eight zero-days, all in either IE or Adobe's Flash Player, in a 20-month stretch from 2010 through the fall of 2012, including four in a 16-week stretch last year. The newest IE vulnerability, now assigned the identifier CVE-2012-4792, is then the ninth.
The appearance of CVE-2012-4792 does bolster Symantec's assertion last year that Elderwood has an unlimited supply of zero-days, or the technical skills to root out new ones as it exhausts others in attacks that eventually go public. "They've been churning out zero-days," Narang said today, "and we certainly expect this to continue."
Although Microsoft has promised to patch the CVE-2012-4792 in the older versions of IE -- IE9 and IE10 are unaffected -- it has expressed little desire to push out an emergency fix. Next week's Patch Tuesday will not include an IE update, and experts do not expect the company to issue an "out-of-band" patch between then and February's regularly-scheduled security updates.
In lieu of a patch, Microsoft has offered an automated "Fixit" workaround to protect customers. But according to Exodus Intelligence, that workaround is not a foolproof defense.
"After less than a day of reverse engineering, we found that we were able to bypass the [Fixit] and compromise a fully-patched system with a variation of the exploit we developed earlier this week," said the company in a Friday blog post.
Microsoft's hand may be forced if recent online reports are accurate. Those reports, citing researchers who said they have spotted exploits of the IE bug being served by other compromised websites, may indicate an uptick in the number of attacks, often a factor in whether Microsoft issues an emergency update.
Narang was unable to confirm the additional attack sources, or say whether Elderwood was behind them.
Attack code, however, has been public since Saturday, Dec. 29, when a module was added to the open-source Metasploit penetration testing framework, a tool used by legitimate researchers and cyber criminals alike.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!