Microsoft patch fixed IE flaw used against U.S. military

Tucked within Microsoft's September patch release was a fix for a vulnerability that had been used this year in a sophisticated attack aimed at stealing U.S. military secrets.

A proof-of-concept (PoC) exploit for the XMLDOM vulnerability, which Microsoft labeled cve-2013-7331, was first released in April 2013. The PoC was then "re-repurposed and abused" in the February attack against the U.S. Veterans of Foreign Wars' website, Kurt Baumgartner, principal security researcher, Americas, for Kaspersky Lab, reported Thursday.

Experts believe the attackers were hoping to infect the computers of active military personnel visiting the site in order to eventually steal valuable information. The VFW has 1.4 million members, including 75,000 who are still active.

The sophisticated hackers had booby-trapped the site with a download exploiting XMLDOM and zero-day vulnerabilities within Internet Explorer, Baumgartner said. XMLDOM was used to determine if the Windows system was running Microsoft's Enhanced Mitigation Experience Toolkit.

"If the parsed return code fails, it means EMET is not present and the attacker can proceed with the exploit," Microsoft wrote about XMLDOM.

If EMET was not present, the attackers downloaded a backdoor called "ZxShell," which exploited a zero-day vulnerability in stealing files from victims' computers, according to security vendor FireEye, which was the first to report on the VFW website attack.

"Microsoft's security team quickly put out a patch for the related severe flaw -- an IE zero-day remote code execution issue," Baumgartner told CSOonline.

The ZxShell backdoor contacted a website hosted on an IP address linked to two other hacking campaigns, Operation DeputyDog and Operation Ephemeral Hydra, FireEye said. Both were suspected of originating in China.

Another patch released by Microsoft was for a Windows task scheduler escalation vulnerability that was reminiscent of a zero-day vulnerability exploited by the Stuxnet malware, Baumgartner said.

Stuxnet, discovered in 2010, was used in an attack that destroyed a number of centrifuges within Iranian nuclear facilities. The U.S. and Israel were behind the attack that dealt a significant blow to Iran's nuclear development operations, according to The New York Times.

The remaining 36 Internet Explorer vulnerabilities enabled remote code execution on various versions of Windows, including the latest 8.1. That critical vulnerability affects IE version 10 and 11.

Besides IE, Microsoft patched a total of five vulnerabilities in .NET, the Windows Lync Server and the task scheduler. The four security bulletins released Tuesday addressed a total of 42 vulnerabilities.

While Microsoft rated the .NET vulnerability MS14-053 "important," risk management vendor Qualys said it should be treated as "critical," if a company has the ASP.NET framework installed with an Internet Information Services (IIS) web server.

"If left unpatched, remote un-authenticated attackers can send HTTP/HTTPS request to cause resource exhaustion, which will ultimately lead to denial-of-service condition on the ASP.NET webserver," Wolfgang Kandek, chief technology officer for Qualys, said in the company's blog.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationswebsite securityMicrosoftAPTssoftwaremilitary cyberattacksStuxnetInternet Explorerdata protectionkaspersky lab

More about FireEyeKasperskyMicrosoftQualysToolkit

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place