UPDATE – Microsoft announced it will release an out-of-band security update today to patch a zero-day vulnerability in Internet Explorer, and that the patch will also be made available for Windows XP machines through Automatic Update. At the same time, researchers said they are now seeing attacks specifically targeting XP users.
Microsoft no longer supports XP as of April 8, and that includes the development and availability of security updates. But the about-face today speaks to the seriousness of the vulnerability, which is being exploited in limited targeted attacks, Microsoft said.
“The security of our products is something we take incredibly seriously. When we saw the first reports about this vulnerability we decided to fix it, fix it fast, and fix it for all our customers,” said Adrienne Hall, General Manager, Microsoft Trustworthy Computing.
The vulnerability affects IE 6 through IE 11, and allows hackers to remotely execute code. The exploits in the wild had only been used to target IE 9 through IE 11 and are being used in conjunction with an Adobe Flash exploit to compromise computers. However, on Thursday, researchers at FireEye said that they had begun seeing attacks against IE 8 running on Windows XP.
“Today, FireEye Labs can reveal a newly uncovered version of the attack that specifically targets out-of-life Windows XP machines running IE 8. This means that live attacks exploiting CVE-2014-1776 are now occurring against users of IE 8 through 11 and Windows XP, 7 and 8,” the FireEye researchers said.
“We have also observed that multiple, new threat actors are now using the exploit in attacks and have expanded the industries they are targeting. In addition to previously observed attacks against the Defense and Financial sectors, organization in the Government- and Energy-sector are now also facing attack.”
Kaspersky Lab principal researcher Kurt Baumgartner said today on the Securelist blog that the exploits in the wild are leading victims to the Pirpi remote access Trojan.
“The week of [April 20], attackers known to send very well crafted emails to high value targets made an attempt to redirect folks’ browsers to sites hosting the IE 0day,” Baumgartner wrote. “The goal of the attacks was to deliver a newer version of the years-old Pirpi RAT to compromised, victim systems by taking control of their browsers, and in turn, their systems and networks.”
Baumgartner urges users to update quickly, even though attacks are limited.
“Once the update and code is analyzed, it can easily be delivered into waiting mass exploitation cybercrime networks,” he wrote.
Despite making today’s patch available for XP users as well, Microsoft also recommends those users upgrade to new versions of Windows, Windows 7 or 8. Security experts, including U.S. CERT, recommended that users avoid using the maligned browser until a patch was made available.
The is the first out-of-band patch from Microsoft since last January when an IE security update was issued for zero-day vulnerabilities being exploited in watering hole attacks against manufacturing and government websites. For most zero-day vulnerabilities in IE and other Microsoft products, the company has been shipping Fix It tools as temporary mitigations, and recommending the use of the Enhanced Mitigation Experience Toolkit, or EMET, which provides mitigations for memory-corruption attacks.
Windows users who have Automatic Update enabled do not need to take any action to install today’s patch, Microsoft said.
Few details on the vulnerability or exploits were made available by Microsoft. The original advisory released on Sunday pointed to an issue in the VGX.DLL, a library used to render vector graphics in IE. Microsoft revised its advisory on Tuesday with additional guidance that IE users should run the browser in Enhanced Protected Mode for IE 10 and 11 as a workaround, as well as deploy and run EMET 4.1 or 4.0.
In addition, Microsoft recommended that admins unregister the VGX library, which meant that applications that render the Vector Markup Language (VML) used by the library would no longer do so.
Yesterday, meanwhile, researchers at Websense said they may have isolated two components within the VGX library that were being exploited. The researchers noticed a spike in VGX.DLL crashes in two particular spots, including a suspicious buffer overflow bug, that could be where attackers are focusing.
Application crashes are indicators of exploit activity in some cases, and researchers believe that either one could be what is being exploited in the wild.