Council on Foreign Relations Harold Pratt House

Microsoft Rushes Fix for IE Hole Used in Attacks on DC’s Elite

Microsoft issued an emergency fix for its Internet Explorer web browser on Monday, just days after security researchers reported finding a previously unknown (zero day) vulnerability in IE that was being used in targeted attacks against members of Washington D.C.’s media, government and policy elite.

Council on Foreign Relations Harold Pratt House

Microsoft’s Security Response Center (MSRC) released the fix for IE versions 6, 7 and 8 on Monday following reports of sophisticated and targeted attacks using the vulnerability were detected on the web site of the Council of Foreign Relations, a leading think tank whose members include senior government officials.

In a Security Advisory (#2794220), Microsoft described the flaw as a “remote code execution vulnerability” in code that governs the way that “Internet Explorer accesses an object in memory that has been deleted or (improperly) allocated.” The vulnerability could allow a malicious attacker to create a malicious web page that would exploit the vulnerability to corrupt memory in a way that could be used to execute arbitrary code in the context of the current user within Internet Explorer, Microsoft said.

The so-called “Fix it” is a temporary workaround and not an official security update that would be needed to permanently repair the security hole. Microsoft dubbed the fix for the IE problem the “MSHTML Shim Workaround.”

According to a report by the conservative blog The Free Beacon, the breach was first detected by a CFR user on December 26, prompting an independent investigation by unnamed “security researchers” that uncovered the IE zero day hole. The Free Beacon report described a sophisticated and highly targeted attack that placed information stealing malware on the computers of select CFR members who visited the organization’s web site. Specifically: the attack targeted IE 8 users who visited the site.

Internet Explorer 8 Logo

In a statement on Sunday, CFR’s Director of Web Management and Development, W. Thomas Davey III, said that the malware was detected and removed on December 27 and that an  “investigation into this matter is currently ongoing.” Initial analysis has not uncovered evidence that data entrusted to CFR including e-mail addresses and passwords was compromised in the attack, he said. A subsequent analysis of the attack by the security firm FireEye on December 28 revealed more details of the attack. In particular, FireEye put the genesis of the attack to December 21 and said CFR visitors who had operating systems configured to English, Chinese, Korean, Russian or Japanese were specifically targeted. The attack uses a variation of a drive-by-download attack called “drive by cache” attack, in which a malicious program and the exploit are downloaded together, and the cached malware is run following the successful execution of the exploit.

In the latest attack, a malicious Adobe Flash file to launch a heap-spray attack against IE and trigger the vulnerability. After that, malicious content was loaded that connected the infected system to a command and control infrastructure that pushed down more malicious software, FireEye reported.

Analysis of the malicious payload revealed comments and component names written in simple Chinese, FireEye said. That suggests (though by no means proves) the attack is of Chinese origin.

The attack fits the description of so-called “watering hole” operations, in which less secure web sites that are frequented by a target population are compromised, in the hopes that the ultimate targets will visit those sites and become infected.

The security firm RSA published a report (PDF) on a similar attack, dubbed “VOHO” in September. The report described a July, 2012 incident in which web sites for the Carter Center, Radio Free Europe, the Massachusetts bank Rockland Trust and others were compromised and used to distribute data stealing malware from predetermined targets.

Microsoft urged users running vulnerable versions of IE 6, 7 and 8 on Windows to apply the fix immediately. The company also recommended temporary workarounds to prevent infection. Top on the list: upgrading to IE versions 9 or 10, which are not vulnerable. Alternatively, Microsoft said that users could run the Enhanced Mitigation Experience Toolkit (EMET) to prevent infection in lieu of an upgrade.