A software vulnerability research firm said it has uncovered a way to bypass the Fix It tool Microsoft released last week as a stop-gap solution to attacks targeting a zero-day bug in Internet Explorer.
The finding was made by Exodus Intelligence, which explained that it was able to bypass the Fix It tool after less than a day of reverse engineering. The bypass allowed them to compromise a fully patched system with a variation of an exploit it developed earlier.
“This is just another Internet Explorer use-after-free bug which was actually relatively easy to [analyze] and exploit,” blogged Peter Vreugdenhil of Exodus Intelligence. “I used some new and/or non public techniques to get a reliable exploit that doesn’t require heap spray, but all in all this bug can be exploited quite reliably.”
The bug at the center of the finding is CVE-2012-4792, a use-after free memory vulnerability that was observed in late December being used as part of a plot to infect visitors to a number of Websites, including the site for a political think tank called the Council on Foreign Relations. If successfully exploited, the vulnerability could permit an attacker to corrupt memory in a way that would allow them to remotely execute code.
According to researchers at Symantec, the water hole attacks may be attributed to the Elderwood project, which has been linked to the use of several Microsoft zero-day bugs in the past eight months. In a blog post, Symantec’s Security Response team noted that in May 2012, Amnesty International’s Hong Kong Website was compromised and used to serve a malicious SWF file exploiting CVE-2012-1875, which is another IE vulnerability. In September, the Elderwood gang was tied to yet another IE zero-day, CVE-2012-4969.
Then in December, a Symantec researcher found another site besides the Council for Foreign Relations serving up an exploit for the latest zero-day. That site was linked to attacks using CVE-2012-4969 back in September. The Website, Symantec said, “was compromised to serve CVE-2012-1889 back in June with a file called movie.swf. The file, movie.swf, is associated with the Elderwood Project.”
There was other evidence linking the Elderwood crew to the exploit as well. After analyzing samples of the SWF files used in the Elderwood water hole attacks, Symantec discovered that the author of the Flash exploits used symbols in some of the attacks. Each sample included a function named HeapSpary – most likely a mistyping of the term Heap Spray. In addition, two of the SWF files both use variables named URL_Addr and Flahs_Version. Furthermore, all three exploit files examined by Symantec use the variable name OS_Version.
According to Microsoft, the vulnerability impacts Internet Explorer versions 6, 7 and 8. However, IE9 and 10 are not susceptible.
“Customer protection is a top priority for us,” said Dustin Childs, group manager of response communications for Microsoft Trustworthy Computing, in a statement. “We are aware of this claim and have reached out to the group for more information, and continue to actively work on a security update to address this issue. Additionally, we released Security Advisory 2794220 to provide customer awareness of the issue…and we strongly encourage our customers to apply the mitigations and workarounds described in the advisory.”
Microsoft has not said precisely when a patch will be ready for the vulnerability.