Microsoft has released a ‘Fix it’ for the Internet Explorer zero-day used in Operation SnowMan attack on VFW’s website.
If you were following the news last week, you know that the VFW website was hacked. According to Dan Goodin at Ars Technica, the website was modified so that an iframe tag “silently loaded a page on another site that hosted the exploit” — a traditional silent drive-by attack, using Flash as an infection vector.
Jeremy Kirk at PC World reports that FireEye, which discovered the hack, thinks it might have originated in China and was intended to spy on active military members. The attack, now called Operation SnowMan, installs a backdoor that lets the originators pull data from an infected computer.
At the time, Operation SnowMan was categorized as (yet another) “use after free” vulnerability in Internet Explorer — the same kind of security hole patched by MS10-002, MS12-037, MS12-063, MS13-080, and many others. The “use after free” bugs are particularly pernicious because they manage to bypass IE’s ASLR technology.
This exploit was assigned CERT VU number 732479. At the time, it appeared as if the hole only affected Internet Explorer 10.
Yesterday Microsoft issued Security Advisory 2934088, which confirms that the “Operation SnowMan” security hole affects IE9 as well: IE11 and IE8 and earlier don’t have the same problem. You XP users (who are prohibited from using IE9 and later) can breathe easy, as can anyone with the foresight to be using Firefox, Chrome, or another competitive browser. In addition, the problem doesn’t crop up on default installations of Server 2003, 2008, 2008 R2, 2012, or 2012 R2.
If your version of IE9 or IE10 is updated to include the latest patches, you can manually apply a Microsoft “Fix it” to block the SnowMan. Go to KB 2934088 and, at the bottom of the page, click the link to Enable the MSHTML shim workaround.
Or you can upgrade to IE11. Or you can just use a different browser — none of the other major browsers support MSHTML.
No word as yet on when a permanent solution will be delivered.