Online spies are using a previously unknown flaw in Microsoft's Internet Explorer browser for targeted attacks, researchers at Microsoft and security firm FireEye announced Saturday (April 26). A patch to fix the flaw is not yet available.
The flaw lets attackers control processes on the targeted computer and, in certain cases, install more malware without the user's knowledge. Internet Explorer versions 6 through 11 are affected, but the attackers seem to be focusing on IE 9 through 11, which together account for a quarter of global browser market share.
All Windows users should avoid using Internet Explorer until a patch is made available. Windows XP users will not be receiving a patch at all. Such attacks on previously unknown security flaws are called zero-day exploits, because researchers have zero days to prepare fixes before the attacks begin.
Milpitas, Calif.-based FireEye first discovered the attacks, which it describes as an "ongoing campaign" dubbed "Operation Clandestine Fox" in a blog post, adding that "for many reasons, we will not provide campaign details."
Significantly, FireEye's researchers said the attackers were an "APT group" that previously has had "access to a select number of browser-based 0-day exploits." APT, or advanced persistent threat, is often taken as a euphemism for Chinese state-sponsored digital spies.
Over the past two years, several espionage campaigns using different Internet Explorer zero-day exploits have targeted information useful to Chinese policymakers and companies. Many involved "watering hole" attacks, in which attackers embed browser-infecting malware in a website likely to be visited by individuals whose computers may contained desirable information — much as predators expect prey to gather at a watering hole.
For those reasons, general computer users may not now have much to fear from "Operation Clandestine Fox." But ordinary cybercriminals, who chase money instead of information, are likely to take advantage of this Internet Explorer flaw in the future.
The actors behind "Operation Clandestine Fox" are leveraging a known Adobe Flash Player exploit to access the Internet Explorer flaw, corrupting or creating Web pages that have malicious Flash (.SWF) files on them. (This technique does not involve a flaw in Adobe Flash Player itself.)
If you're using a vulnerable version of Internet Explorer to browse the Web, and you land on one of these rigged pages, it may trigger a drive-by download that infects a browser without the user's knowledge. The Flash file will alter the affected computer's memory, creating the opportunity to exploit the Internet Explorer flaw.
In its own blog post, Microsoft says it will soon issue a patch for all supported versions of Windows and Internet Explorer. Windows XP won't be getting it, since Microsoft stopped supporting the 13-year-old operating system earlier this month.
Nevertheless, there are still a few things that users of all versions of Windows can do. First, stop using Internet Explorer, at least until this flaw is patched. (XP users should not be using Internet Explorer at all.) We recommend switching to Google Chrome, Mozilla Firefox, Opera or WhiteHat Aviator, all of which will support XP for at least another year.
Disabling all Adobe Flash browser plugins in IE will also stop the attack, since Flash is a necessary stepping-stone for the attack to work.
You can also download and install Microsoft's Enhanced Mitigation Experience Toolkit (EMET) version 4.1, which is available free on Microsoft's website and can improve Windows security.
Disabling a feature in Internet Explorer called "Active Scripting" will also prevent Flash from running in the browser.
Microsoft says that disabling an Internet Explorer extension called "VGX.dll" will also stop the attack. VGX.dll supports vector graphics rendering in the browser.
Because the zero-day exploit gains the Windows user's privileges, surfing the Web under a limited-user account will mitigate, if not completely stop, the attack and prevent the malware from affecting an entire PC.