Clandestine Fox Nips at Explorer's Heels
Microsoft has vastly improved IE's security, but its penchant for supporting legacy users by carrying old code into new versions has backfired in this case. "Internet Explorer is an older browser, and when you find a vulnerability like this that effects several versions, a lot of time you'll find it in a part of the browser that hasn't changed in 10 years," said Rapid7's Ross Barrett.
Apr 28, 2014 5:00 PM PT
Microsoft's Internet Explorer Web browser has a flaw that allows hackers to commandeer control of computers, FireEye reported Saturday.
Although the never-seen-before vulnerability can be found in all versions of the browser, hackers are targeting IE versions 9 through 11, according to a blog post by the three researchers who made the discovery.
"Threat actors are actively using this exploit in an ongoing campaign which we have named 'Operation Clandestine Fox,'" wrote the researchers, Xiaobo Chen, Dan Caselden and Mike Scott.
Although the trio did not reveal any details about the campaign for security reasons, they noted that "we believe this is a significant zero day, as the vulnerable versions represent about a quarter of the total browser market."
On the same day FireEye posted its findings, Microsoft published a security advisory describing the flaw as a vulnerability that allows objects in memory that have not been deleted or properly allocated to be used to execute arbitrary code within the browser.
"An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website," the Microsoft advisory said.
Microsoft made a number of recommendations for users to protect their computers from being infected with malware until the company can patch the flaw, including deploying its Enhanced Experience Toolkit 4.1, setting the security zones in IE to "high," and disabling Active Scripting in the browser.
Others have recommended disabling Adobe Flash, which is used to enable the attack, and using another Web browser entirely.
Attacks exploiting the vulnerability also can be foiled by disabling the VGX library, an antique bit of code that's used to render the Vector Markup Language in the browser.
"VML should be disconnected as quickly as possible, and it probably doesn't make any sense to ever reconnect it," Wolfgang Kandek, CTO of Qualys, told the E-Commerce Times.
That can be done by running from the command line in Windows: regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll."
Unlike some of the other measures recommended by Microsoft, disabling the VGX library will have a minimal impact on a Web-surfing experience.
"It only affects you if you go to a page with VML on it," Kandek said, "and those pages are hard to find."
What's good about the VGX solution is that it works on all versions of Windows -- even XP, which lost its Microsoft support on April 8 and won't receive a bug patch, when it's released.
"This time XP users are extremely lucky that a piece of code that nobody needs was involved in a flaw," Kandek said.
"Next time," he continued, "it may be a piece of code that's important to HTML processing. Then it will not be that easy to deactivate the code."
No Browser Safe
Although Microsoft has vastly improved IE's security over the years, its penchant for supporting legacy users by carrying old code into new versions of IE has backfired in this case.
"Internet Explorer is an older browser, and when you find a vulnerability like this that effects several versions, a lot of time you'll find it in a part of the browser that hasn't changed in 10 years," Ross Barrett, senior manager of security engineering with Rapid7, told the E-Commerce Times.
"Browsers like Chrome and Firefox, because they're starting from a newer base and they've reinvented themselves a few times and have dropped legacy compatibility pieces, they can more aggressively adopt modern security principles that make them less vulnerable to this kind of issue," Barrett added.
Nevertheless, no matter how strong a software's security is, persistent actors bent on cracking into an organization will find a way to do so.
"People say one browser is more secure than another, but this can happen in any browser or application," Aviv Raff, chief technology officer with Seculert, told the E-Commerce Times.
"The reason this browser was targeted was because they knew their targeted entity was using the browser," he added. "If someone is using Chrome or Firefox, and they want to target them, they'll find a vulnerability."
The discovery of the IE flaw isn't coming at an opportune time for Microsoft. "They're going to take some hits around not supporting Windows XP " Christopher Budd, threat communications manager for Trend Micro, told the E-Commerce Times.
"Microsoft has supported XP longer than anyone has supported any modern operating system," Budd said, "but the fact is that a quarter of PCs out there are running XP, so in situations like this they are going to be criticized for not providing security for it."
On the other hand, this security problem could be a wakeup call for XP users.
"It could have a positive impact," Jerome Segura, a senior security researcher at Malwarebytes, told the E-Commerce Times, "because with all the publicity around this, it will encouraqge XP users to migrate more so than ever."