Update: Microsoft to patch just-revealed Windows zero-day tomorrow

Memory-resident malware triggered when users running IE browsed to 'watering hole' website

1 2 Page 2
Page 2 of 2

Kindlund speculated that the hackers chose the memory-resident attack technique to safeguard the zero-day vulnerability they exploited, a tactic that in this case at least, didn't work.

"They were willing to accept the trade-off [of potentially losing the PC compromise] because they did not want this zero-day vulnerability to be discovered this easily," Kindlund said. "If they were going to employ it, they wanted to be cautious ... the more times they used it, the more likely that it would be discovered and patched."

On a post to the FireEye blog on Sunday, four researchers spilled details of the attack code. They also noted a possible link via the malware's command-and-control infrastructure to a hacking campaign from August 2013 that the security vendor had dubbed "Operation DeputyDog."

DeputyDog in turn had been connected to the hackers who in February infiltrated the corporate network of Bit9, a Waltham, Mass. security vendor, issued themselves valid digital certificates and then used those certificates to infect the networks of several Bit9 customers.

On Monday, however, Kindlund was hesitant to claim that the same group responsible for DeputyDog and the Bit9 breach was also behind the latest attacks. "We like to take a cautious stance before linking an attack to a group. We want at least three linkages, but so far we have only one [to DeputyDog]," said Kindlund. "It's a significant finding, but the link could mean it's the same threat actor or that two different threat actors are using the same command-and-control infrastructure."

Kindlund defended FireEye's decision to publicly reveal the zero-day and even some of the technical details of the attack campaign. Microsoft prefers researchers not do that before a problem has been patched.

"We had to make a trade-off between the interests of Microsoft with the interests of the general public, who needed to be aware that targeted attacks using this vulnerability were in the wild," Kindlund said.

Although Microsoft had declined to confirm FireEye's findings earlier Monday, around 1 p.m. PT (4 p.m. ET), Microsoft announced that a fix would be issued Tuesday as part of its November slate of security updates.

"We have confirmed that this vulnerability is an issue already scheduled to be addressed in 'Bulletin 3,' which will be released as MS13-090," said Dustin Childs, a spokesman for the Microsoft Security Response Center (MSRC), in a post to the group's blog.

Bulletin 3 was one of eight that Microsoft announced last Thursday in its usual advance notification of a Patch Tuesday. That update, which will be rated "critical," will affect Windows XP, Vista, Windows 7, Windows 8 and Windows 8.1 on the client side, and Windows Server 2003, 2008, 2008 R2, 2012 and 2012 R2 on the server end.

In his blog post Monday afternoon, Childs said that the flaw involved an ActiveX control, Microsoft's browser plug-in technology. Childs also listed several steps customers could take to harden their PCs against attack until tomorrow's update arrives.

Microsoft did not suddenly accelerate its patch development and testing process to get the patch ready; instead, the company had already identified the flaw, perhaps with the help of other outside researchers and probably several weeks ago, and had crafted a fix.

The November slate of Microsoft's patches will ship Tuesday at around 10 a.m. PT (1 p.m. ET).

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His email address is gkeizer@computerworld.com.

Copyright © 2013 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon