A very serious zero-day exploit affecting Internet Explorer has gone into wide release, affecting banking and government websites in Japan and Taiwan as more hacker crews roll it into their malware kits.
"It is not uncommon for APT [advanced persistent threat] groups to hand off exploits to others, who are lower on the zero-day food chain — especially after the exploit becomes publicly available," wrote FireEye researchers Ned Moran and Nart Villeneuve in a blog post Monday (Sept. 30). "Thus, while the exploit may be the same, the APT groups using them are not otherwise related."
"Advanced persistent threat" is an oft-used polite euphemism for "Chinese state-sponsored hacker crews out to steal foreign secrets." In this case, it's not clear whether the groups involved are being directed by Chinese government entities, or are instead freelancers of any nationality who sell stolen secrets to the highest bidder.
The exploit, dubbed a "zero-day" because it appeared in the wild before Microsoft learned of the flaw it exploited, affects all current versions of Windows and of Internet Explorer. Those would be Windows XP, Vista, 7, 8 and RT, plus various server variants, and Internet Explorer versions 6 through 11.
The exploit is being bundled into various "browser exploit kits," witches' brews of malware that hide on compromised websites and toss one exploit after another at each visiting Web browser until something gets through and infects the browser, and often the entire computer.
Researchers at two more California information-security firms backed up FireEye's observations. AlienVault found the exploit lurking on a compromised Taiwanese government website, while Websense stopped the exploit from attacking "a Japanese financial institution."
On Sept. 17, Microsoft issued a "Fix-it" module to temporarily patch the Internet Explorer flaw, which had first been exploited by the "Operation DeputyDog" exploit kit, used by a crew targeting institutions in Japan. (FireEye noted that the same crew attacked security vendor Bit9 in February, which resulted in stolen Bit9 credentials being used to steal information from Bit9 corporate customers.)
The Fix-it, which can be downloaded from Microsoft, must be manually installed — a somewhat cumbersome process that few Windows users will go through. It's hoped that Microsoft will roll a permanent fix into next week's Patch Tuesday round of monthly software updates.
Short of installing the Fix-it, Windows users can protect themselves from this new exploit by:
— not using Internet Explorer until the patch comes through
— running all Internet-facing software on a "limited" user account without software-installation privileges
— installing and maintaining robust anti-virus software that screens browser links
— turning on the built-in firewall on the computer and, if possible, on the Internet gateway router.