Categories
Sci-Tech

Microsoft issues advisory to fix security bug, problem continues

Microsoft says that it is aware of limited, targeted attacks that attempt to exploit some vulnerability in Internet Explorer versions 6, 7, 8, 9, 10 and 11.

It is a remote code execution vulnerability that exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. This flaw may lead to corruption of the memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. In other words, the zero-day vulnerability consists of an Adobe Flash loophole that allows hackers to upload malicious code to a computer remotely while an individual goes to a harmful site. The Adobe Flash loophole uses an Adobe Flash SWF file through a process called heap feng shui.

It was FireEye Research Labs that identified a new Internet Explorer (IE) zero-day exploit used in targeted attacks. The firm warns that “threat actors are actively using this exploit in an ongoing campaign which we have named ‘Operation Clandestine Fox'”.

According to NetMarket Share, the market share for the targeted versions of IE in 2013 were: IE 9 – 13.9%, IE 10 – 11.04% and IE 11 – 1.32%. Collectively, in 2013, the vulnerable versions of IE accounted for 26.25% of the browser market.  The vulnerability, however, does appear in IE6 through IE11 though the exploit targets IE9 and higher.

Exploitation

Preparing the heap

The exploit page loads a Flash SWF file to manipulate the heap layout with the common technique heap feng shui. It allocates Flash vector objects to spray memory and cover address 0×18184000. Next, it allocates a vector object that contains a flash.Media.Sound() object, which it later corrupts to pivot control to its ROP chain.

Arbitrary memory access

The SWF file calls back to Javascript in IE to trigger the IE bug and overwrite the length field of a Flash vector object in the heapspray. The SWF file loops through the heapspray to find the corrupted vector object, and uses it to again modify the length of another vector object. This other corrupted vector object is then used for subsequent memory accesses, which it then uses to bypass ASLR and DEP.

Runtime ROP generation

With full memory control, the exploit will search for ZwProtectVirtualMemory, and a stack pivot (opcode 0×94 0xc3) from NTDLL. It also searches for SetThreadContext in kernel32, which is used to clear the debug registers. This technique, documented here, may be an attempt to bypass protections that use hardware breakpoints, such as EMET’s EAF mitigation.

With the addresses of the aforementioned APIs and gadget, the SWF file constructs a ROP chain, and prepends it to its RC4 decrypted shellcode. It then replaces the vftable of a sound object with a fake one that points to the newly created ROP payload. When the sound object attempts to call into its vftable, it instead pivots control to the attacker’s ROP chain.

ROP and Shellcode

The ROP payload basically tries to make memory at 0×18184000 executable, and to return to 0x1818411c to execute the shellcode.

0:008> dds eax 18184100  770b5f58 ntdll!ZwProtectVirtualMemory 18184104  1818411c 18184108  ffffffff 1818410c  181840e8 18184110  181840ec 18184114  00000040 18184118  181840e4

Inside the shellcode, it saves the current stack pointer to 0×18181800 to safely return to the caller.

mov     dword ptr ds:[18181800h],ebp

Then, it restores the flash.Media.Sound vftable and repairs the corrupted vector object to avoid application crashes.

18184123 b820609f06      mov     eax,69F6020h 18184128 90              nop 18184129 90              nop 1818412a c700c0f22169    mov     dword ptr [eax],offset Flash32_11_7_700_261!AdobeCPGetAPI+0x42ac00 (6921f2c0) 18184133 b800401818      mov     eax,18184000h 18184138 90              nop 18184139 90              nop 1818413a c700fe030000    mov     dword ptr [eax],3FEh ds:0023:18184000=3ffffff0

The shellcode also recovers the ESP register to make sure the stack range is in the current thread stack base/limit.

18184140 8be5            mov     esp,ebp 18184142 83ec2c          sub     esp,2Ch 18184145 90              nop 18184146 eb2c            jmp     18184174

The shellcode calls SetThreadContext to clear the debug registers. It is possible that this is an attempt to bypass mitigations that use the debug registers.

18184174 57              push    edi 18184175 81ece0050000    sub     esp,5E0h 1818417b c7042410000100  mov     dword ptr [esp],10010h 18184182 8d7c2404        lea     edi,[esp+4] 18184186 b9dc050000      mov     ecx,5DCh 1818418b 33c0            xor     eax,eax 1818418d f3aa            rep stos byte ptr es:[edi] 1818418f 54              push    esp 18184190 6afe            push    0FFFFFFFEh 18184192 b8b308b476      mov     eax,offset kernel32!SetThreadContext (76b408b3) 18184197 ffd0            call    eax

The shellcode calls URLDownloadToCacheFileA to download the next stage of the payload, disguised as an image.

Assurance

On completion of its investigation, Microsoft assures that it will take appropriate action to protect its customers, which may include providing a solution through its monthly security update release process, or an out-of-cycle security update, depending on customer needs.

For information about protections released by MAPP partners, one may visit MAPP Partners with Updated Protections.

Microsoft continues to encourage customers to follow the guidance in the Microsoft Safety & Security Center of enabling a firewall, applying all software updates, and installing antimalware software.

Mitigating Factors:

  • By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.
  • By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario.
  • An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.
  • Suggested actions:
  • Apply Workarounds

    Workarounds refer to a setting or configuration change that does not correct the underlying issue but would help block known attack vectors before a security update is available.

    The Enhanced Mitigation Experience Toolkit (EMET) helps mitigate the exploitation of this vulnerability by adding additional protection layers that make the vulnerability harder to exploit. EMET 4.1 is officially supported by Microsoft. At this time, EMET is only available in the English language. For more information, see Microsoft Knowledge Base Article 2458544.

    Deploy the Enhanced Mitigation Experience Toolkit 4.1

    Note EMET 3.0 does not mitigate this issue.

    For more information about configuring EMET, see the EMET User’s Guide:

      • On 32-bit systems the EMET User’s Guide is located in C:\Program Files\EMET\EMET User’s Guide.pdf
      • On 64-bit systems the EMET User’s Guide is located in C:\Program Files (x86)\EMET\EMET User’s Guide.pdf

    Configure EMET 4.1 for Internet Explorer

    EMET 4.1, in the recommended configuration, is automatically configured to help protect Internet Explorer. No additional steps are required.

    Configure EMET for Internet Explorer using Group Policy

    EMET can be configured using Group Policy. For information about configuring EMET using Group Policy, see the EMET User’s Guide:

      • On 32-bit systems the EMET User’s Guide is located in C:\Program Files\EMET\EMET User’s Guide.pdf
      • On 64-bit systems the EMET User’s Guide is located in C:\Program Files (x86)\EMET\EMET User’s Guide.pdf

    Note For more information about Group Policy, see Group Policy collection.

     

    • Set Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones

    You can help protect against exploitation of this vulnerability by changing your settings for the Internet security zone to block ActiveX controls and Active Scripting. You can do this by setting your browser security to High.

    To raise the browsing security level in Internet Explorer, perform the following steps:

    1. On the Internet Explorer Tools menu, click Internet Options.
    2. In the Internet Options dialog box, click the Security tab, and then click Internet.
    3. Under Security level for this zone, move the slider to High. This sets the security level for all websites you visit to High.
    4. Click Local intranet.
    5. Under Security level for this zone, move the slider to High. This sets the security level for all websites you visit to High.
    6. Click OK to accept the changes and return to Internet Explorer.
    7. In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.
    8. In the Select a web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.
    9. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.
    10. In the Add this website to the zone box, type the URL of a site that you trust, and then click Add.
    11. Repeat these steps for each site that you want to add to the zone.
    12. Click OK two times to accept the changes and return to Internet Explorer.
    13. In Internet Explorer, click Internet Options on the Tools menu.
    14. Click the Security tab.
    15. Click Internet, and then click Custom Level.
    16. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
    17. Click Local intranet, and then click Custom Level.
    18. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
    19. Click OK two times to return to Internet Explorer.
    20. In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.
    21. In the Select a web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.
    22. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.
    23. In the Add this website to the zone box, type the URL of a site that you trust, and then click Add.
    24. Repeat these steps for each site that you want to add to the zone.
    25. Click OK two times to accept the changes and return to Internet Explorer.
    26. Click Start, click Run, type “%SystemRoot%\System32\regsvr32.exe” -u “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll”, and then click OK.
    27. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
    28. Click Start, click Run, type “%SystemRoot%\System32\regsvr32.exe” “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll”, and then click OK.
    29. A dialog box appears to confirm that the registration process has succeeded. Click OK to close the dialog box.
    30. Click Start, click Run, type “cmd” (without the quotation marks), and then click OK.
    31. Type the following command at a command prompt make a note of the current ACL’s that are on the file (including inheritance settings) for future reference to undo this modification:

      cacls “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll”

    32. Type the following command at a command prompt to deny the ‘everyone’ group access to this file:

      echo y| cacls “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll” /d everyone

    33. Close Internet Explorer, and reopen it for the changes to take effect.
    34. Click Start, click Run, type “cmd” (without the quotation marks), and then click OK.
    35. To revert to the previous ACL configuration for vgx.dll, type the following command and replace the ACL on vgx.dll with the ACL’s it previously had, which were recorded in step 2 of this workaround The command line to do so will vary depending on your environment:

      echo y| cacls “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll” /g original ACL’s

    36. Close Internet Explorer, and reopen it for the changes to take effect.
    37. On the Internet Explorer Tools menu, click Internet Options.
    38. In the Internet Options dialog box, click the Advanced tab, and then scroll down to the Security section of the settings list.
    39. Ensure the checkboxes next to Enable Enhanced Protected Mode and Enable 64-bit processes for Enhanced Protected Mode (for 64-bit systems) are selected.
    40. Click OK to accept the changes and return to Internet Explorer.
    41. Restart your system.

    Note If no slider is visible, click Default Level, and then move the slider to High.

    Note Setting the level to High may cause some websites to work incorrectly. If you have difficulty using a website after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.

    Impact of workaround. There are side effects to blocking ActiveX Controls and Active Scripting. Many websites that are on the Internet or on an intranet use ActiveX or Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX Controls to provide menus, ordering forms, or even account statements. Blocking ActiveX Controls or Active Scripting is a global setting that affects all Internet and intranet sites. If you do not want to block ActiveX Controls or Active Scripting for such sites, use the steps outlined in “Add sites that you trust to the Internet Explorer Trusted sites zone”.

    Add sites that you trust to the Internet Explorer Trusted sites zone

    After you set Internet Explorer to block ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted websites exactly as you do today, while helping to protect yourself from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.

    To do this, perform the following steps:

    Note Add any sites that you trust not to take malicious action on your system. Two in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and it requires an ActiveX Control to install the update.

     

    • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

    You can help protect against exploitation of this vulnerability by changing your settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. To do this, perform the following steps:

    Note Disabling Active Scripting in the Internet and Local intranet security zones may cause some websites to work incorrectly. If you have difficulty using a website after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly.

    Impact of workaround. There are side effects to prompting before running Active Scripting. Many websites that are on the Internet or on an intranet use Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use Active Scripting to provide menus, ordering forms, or even account statements. Prompting before running Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run Active Scripting. If you do not want to be prompted for all these sites, use the steps outlined in “Add sites that you trust to the Internet Explorer Trusted sites zone”.

    Add sites that you trust to the Internet Explorer Trusted sites zone

    After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted websites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.

    To do this, perform the following steps:

    Note Add any sites that you trust not to take malicious action on your system. Two in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and it requires an ActiveX Control to install the update.

    • Unregister VGX.DLL

    Impact of Workaround: Applications that render VML will no longer do so once vgx.dll has been unregistered.

    When a security update is available to address this issue, you should re-register vgx.dll after installing the security update. To re-register vgx.dll follow these steps:

    • Modify the Access Control List on VGX.DLL to be more restrictive

    To modify the Access Control List (ACL) on vgx.dll to be more restrictive, follow these steps:

    Impact of Workaround: Applications and Web sites that render VML may no longer display or function correctly.

    How to undo this workaround. Before any security updates that fix this issue can be installed, this workaround must be reverted to the previous ACL configuration for vgx.dll. To revert to the previous vgx.dll ACL’s follow these steps:

    Note If this workaround is applied, software that redistributes vgx.dll may fail to install. Before this software can be installed, this workaround must be reverted to the previous ACL configuration for vgx.dll.

    • Enable Enhanced Protected Mode For Internet Explorer 11 and Enable 64-bit Processes for Enhanced Protected Mode

    Internet Explorer 11 users can help protect against exploitation of this vulnerability by changing the Advanced Security settings for Internet Explorer. You can do this by enabling Enhanced Protected Mode (EPM) settings in your browser. This security setting will protect users of Internet Explorer 11 on Windows 7 for x64-based systems, and all Windows 8 and Windows 8.1 clients.

    To enable EPM in Internet Explorer, perform the following steps:

    Additional Suggested Actions

    • Protect your PC

    Customers must follow Microsoft’s “Protect Your Computer” guidance of enabling a firewall, getting software updates, and installing antimalware software. For more information, see Microsoft Safety & Security Center.

    • Keep Microsoft Software Updated

    Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed.

The process seizes the internal memory storage of a computer, inputs malicious shellcode, and continues to do so until it either achieves its purpose or the computer crashes (or both), bypassing Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). Data Execution Prevention is designed to prevent any sort of data from being executed (particularly remote data input). Address Space Layout Randomization is designed to prevent hackers from accessing weak areas in a given program by moving data libraries, stacks, heaps, and executable bases to different locations within computer internals. With randomization, it becomes more difficult for hackers to install malicious code remotely and know where certain data are located within a device.

Sirf News Network

By Sirf News Network

Ref: ABOUT US