Internet Explorer ‘SnowMan’ zero-day spreading

Attack first noted on VFW website is spreading, say Symantec researchers. If you must use IE9 or IE10, get patched now.

Two weeks ago FireEye discovered a sophisticated iframe infection on the VFW website that leverages (yet another) “use after free” security hole in Internet Explorer 9 and 10. The attack, known as “Operation SnowMan” and identified by CVE-2014-0322, installs a backdoor that lets the attackers remove data from an infected computer. Ominously, it operates on a “drive by” vector — you don’t need to do anything wrong; visit an infected site, and if you’re running IE9 or IE10, you’re pwned.

Fortunately, the attacks were not widespread. They were directed at specific targets — so-called APT attacks, commonly attributed to rogue government organizations or the NSA (which may be a tautology).

Last week, Microsoft acknowledged the problem and posted a “Fix it” as part of Security Advisory 2934088.

Symantec now advises that the same technique has spread widely:

Attacks targeting this vulnerability are no longer confined to advanced persistent threats (APT) — the zero-day attacks are expanding to attack average Internet users as well. We refer to these attacks as drive-by downloads. This is not a surprising result, as the vulnerability’s exploit code received a lot of exposure, allowing anyone to acquire the code and re-use it for their own purposes.

Our internal telemetry shows a big uptick in attempted zero-day attacks. The attacks started to increase dramatically from February 22, targeting users in many parts of the world. Our telemetry shows both targeted attacks and drive-by downloads in the mix.

The Symantec advisory says that most of the infections it has observed occur in Japan on an odd array of websites — a community site for mountain hikers, an adult dating site, a shopping site, and more. “We believe that the same attacker undertook the majority of the attacks, based on the file components used… the exploit drops a banking Trojan that steals login details from certain banks.”

As I noted last week, your smartest approach is to avoid IE9 and IE10 completely — switch to Chrome or Firefox or your browser of choice. Failing that, bite the bullet and upgrade to IE11. If you absolutely must use IE9 or IE10, it would be a very good idea to apply the Fix it. Start by applying all updates to your version of Internet Explorer, then go to the KB 2934088 site and click the link to enable the MSHTML shim workaround.

There’s still no word on when Microsoft will supply a comprehensive fix.


Via: infoworld

Save pagePDF pageEmail pagePrint page

Leave a Reply

Your email address will not be published. Required fields are marked *