Millions Exposed to Cyber Attacks Because of Internet Explorer Vulnerability
Yesterday evening, Microsoft released an emergency patch for a critical Internet Explorer vulnerability. Although you may not use IE on a daily basis, here’s why it’s important to update your system and get the patch now.
What you need to know about the IE security patch
Patch Tuesday came in with quite the update yesterday, when Security Update for Internet Explorer (3088903) was announced by Microsoft, that called it “critical”.
It is, indeed, a serious security problem for users, because the security hole could lead to various malicious exploits, as noted by Microsoft:
- Remote Code Execution
- Elevation of Privilege
- Information Disclosure
- and Security Feature Bypass.
By exploiting this vulnerability, cyber criminals could compromise your entire system and infect it with malware, while also collecting confidential data or overriding security features to gain control of your PC. This is especially dangerous for those who use an administrator account on their PC on a daily basis (which we don’t recommend).
Internet Explorer may be the browser you use to download Chrome or Firefox, but it’s still used by millions. Let’s see which IE versions are affected and how many users could be compromised (mind you, the figures are estimated according to the current number of Internet users in the world — 3,1 billion).
Internet Explorer 7–0,1% of (approximately 3,1 million users) Internet Explorer 8–0,9% of (approximately 27,9 million users) Internet Explorer 9–1,2% of (approximately 37,2 million users) Internet Explorer 10–0,8% of (approximately 24,8 million users) Internet Explorer 11–4,2% of (approximately 130,2 million users)
Browser statistics source: W3Schools.
The approximate amount of people affected by this vulnerability would reach over 220 million users, according to the estimations presented above, since the vulnerability occurs in IE7 and up to IE11 on all supported versions of Windows (Vista, Win 7, Win 8, Win 10). Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R users are also affected. For more information about the vulnerability, see the Microsoft Security Bulletin MS15–093.
Internet Explorer remains the fourth most used browser in the world, with 13,4% market share in June 2015 according to W3Schools or 12,88% market share, in the same timeframe, according to StatCounter.
Update: How cyber criminals are exploiting the vulnerability
The security hole in Internet Explorer just became a Zero Day vulnerability.
The vulnerability occurs in the way that Internet Explorer handles the layout of the cache tables. Technically, the MS15–093 patch calls objects via “CTable :: GetAncestorTableOfTablePart”, which can be exploited to run code in memory via a Use-After-Free trick that evades detection.
Use-After-Free consists of “referencing memory after it has been freed, which can cause a program to crash, use unexpected values, or execute code” according to CWE.mitre.org. Moreover:
The use of previously-freed memory can have any number of adverse consequences, ranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw.
Microsoft EMET (Enhanced Mitigation Experience Toolkit) provides protection against the exploit by patching memory, so the arbitrary code is not executed.
This attack, which has been used in watering hole attacks and spear phishing, has made use of an Iframe which directed traffic to 115.144 [.] 107.55.
The server injects the following code in the website (sanitized by Heimdal Security):
The victim of the attack lands on the website vvv.html and is moved after a few initial checks onto the exploit page “/java.html” exploiting CVE-2015–5122. The delivered payload is a PlugX variant, which is dropped to the system as “nvdisps.dll” and settled through a rundll32 call. The code creates the mutex “FAST” and calls a static C&C server with the following POST request: “/ update? Id = 000a3228″.
The C&C server is hosted by EHOSTIDC-KR in Korea. The same server has been used in other APT PlugX attacks over the past 6 months, which include, among others, the domain: konsocn [.] com (sanitized by Heimdal Security).
Antivirus detection is low both in terms of the exploit and payload.
How to get protected
We highly recommend you install the “Microsoft Security Bulletin MS15–093″ on all Microsoft Windows systems that you use as soon as possible!
Government institutions may be especially vulnerable to attacks since Internet Explorer is seldom used in these organizations across the world.
Users are also in danger, since “70% of web based attacks target a vulnerability on your computer,” according to our data.
It’s also important to know that automatic patching can be a life-saving solution for your PC, whether it’s personal or used in a corporate environment. Up to 99% of computers run vulnerable software, such as Internet Explorer, Oracle Java, Adobe Reader or Adobe Flash, which makes them targets for cyber attacks that seek to exploit these security holes.
Learning how you can get infected via world wide web exploits can be a much needed solution, enabling you to choose the right tools and settings for your data’s protection.
Most people don’t know this, but Internet Explorer was the second most exploited software application in 2014, according to Trustwave 2015, with cyber criminals directing 29,4% of their exploits towards it!
The reason is straightforward:
Most versions of IE don’t offer automatic patching like other browsers do. Because manual fixed require effort on the part of the user, many times the browser goes unpatched.
Source: Trustwave 2015
So what do I do now?
It’s quite simple. Use an automatic and silent patching tool that can update your critical applications for you, ensuring that you’re protected with the latest security patches.
And if you want to go the extra mile for your data’s safety, we recommend adding an advanced malware protection tool to your security system. That way you’ll know that you’ll have a much better chance at being protected from sophisticated cyber attacks that target your personal data and money.
Originally published at heimdalsecurity.com on August 19, 2015.