Microsoft released an out-of-band security patch this Tuesday for Internet Explorer 7 through Internet Explorer 11. This patch contained a fix for a critical security flaw (CVE-2015-2502) that allows attackers to infect users when they visit some particular websites (all legitimate). Some attackers have leveraged this exploit, after the patch was released, to deliver malware to users through various legitimate websites.
Microsoft did warn that the memory corruption flaw was being exploited in the wild. It had credited Google researcher, Clement Lecigne, for discovering this zero-day vulnerability in multiple versions of Internet Explorer. Following the patch, Wolfgang Kandek, CTO Qualys shared how this vulnerability can be exploited by malicious actors in different ways:
- Hosting the exploit on ad networks, which are then used by entirely legitimate websites;
- Gaining control over legitimate websites, say blogs, by exploiting vulnerabilities in the blogging server software or simply weak credentials;
- Setting up specific websites for the attack and manipulating search engine results;
- Send you a link to the site by e-mail or other messaging programs.
As can be noticed, a website doesn't have to play any role which is why legitimate websites are being used by hosting the exploit on ad networks or even gaining control of the websites taking advantage of weak website credentials. Once the user is infected, malware gains user privileges on the machine potentially installing more malware on it.
Following the patch that arrived only two days back, security firms Heimdal Security and Symantec have reported watering hole attacks where attackers have used the exploit to deliver PlugX remote access Trojan (RAT) to the website visitors. Using legitimate sites to deliver malware, the attackers then aim to steal valuable information from the machines. According to the sources, the command and control (C&C) server used in this particular attack is hosted by a Korean company EhostIDC. This latest attack also compromised the website of the Evangelical Lutheran Church of Hong Kong which redirected visitors to a site (18.104.22.168) hosting the IE exploit. Citizen Lab spotted PlugX being used to target Hong Kong pro-democracy groups and Tibetan diaspora earlier in the year, reports Security Week.
Microsoft's Windows 10 Edge browser remains unaffected by this zero-day vulnerability. This helps the company make a statement of why it was important to kill Internet Explorer and bring a completely new browser which seems more secure.