Elite hacker gang pulls out another IE zero-day from bottomless pocket
Symantec links latest IE vulnerability -- which Microsoft won't patch next week -- to group that's exploited nine zero-days in last two years
Computerworld - An elite hacker group credited last year with having an inexhaustible supply of zero-day vulnerabilities was responsible for digging up and first using the newest unpatched bug in Internet Explorer (IE), a Symantec manager today.
The gang, dubbed "Elderwood" after a source code variable regularly used by the hackers, had been profiled last September by Symantec in a research paper that outlined its strategies as well as its hacking tactics.
Yesterday, Symantec linked Elderwood to the newest IE zero-day, which researchers said last week was being used to attack Windows PCs whose owners visited the Council on Foreign Relations' (CSR) website using IE6, IE7 or IE8. CSR is a high-profile foreign policy think-tank.
Symantec based its conclusion on several factors, including similarities in attack code used both in past exploits and the most recent.
"We analyzed a number of different source files, then cross-referenced them to make our conclusion," Satnam Narang, a manager in Symantec's security response team, said in an interview Friday.
Another clue was the common license of the commercial code packer used to obfuscate Elderwood Flash-based attack files, those definitely attributed to the gang as well as the one Symantec analyzed from the December attacks.
Narang acknowledged that it was possible others beside Elderwood could have gone so far as to spoof the packer licensee, but thought it very unlikely.
By Symantec's count, Elderwood uncovered and used eight zero-days, all in either IE or Adobe's Flash Player, in a 20-month stretch from 2010 through the fall of 2012, including four in a 16-week stretch last year. The newest IE vulnerability, now assigned the identifier CVE-2012-4792, is then the ninth.
The appearance of CVE-2012-4792 does bolster Symantec's assertion last year that Elderwood has an unlimited supply of zero-days, or the technical skills to root out new ones as it exhausts others in attacks that eventually go public. "They've been churning out zero-days," Narang said today, "and we certainly expect this to continue."
Although Microsoft has promised to patch the CVE-2012-4792 in the older versions of IE -- IE9 and IE10 are unaffected -- it has expressed little desire to push out an emergency fix. Next week's Patch Tuesday will not include an IE update, and experts do not expect the company to issue an "out-of-band" patch between then and February's regularly-scheduled security updates.
In lieu of a patch, Microsoft has offered an automated "Fixit" workaround to protect customers. But according to Exodus Intelligence, that workaround is not a foolproof defense.
"After less than a day of reverse engineering, we found that we were able to bypass the [Fixit] and compromise a fully-patched system with a variation of the exploit we developed earlier this week," said the company in a Friday blog post.
Microsoft's hand may be forced if recent online reports are accurate. Those reports, citing researchers who said they have spotted exploits of the IE bug being served by other compromised websites, may indicate an uptick in the number of attacks, often a factor in whether Microsoft issues an emergency update.
Narang was unable to confirm the additional attack sources, or say whether Elderwood was behind them.
Attack code, however, has been public since Saturday, Dec. 29, when a module was added to the open-source Metasploit penetration testing framework, a tool used by legitimate researchers and cyber criminals alike.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts