What kind of work does your research team undertake and how did you discover this latest zero day vulnerability?
It’s a global team with about 30 researchers all around the world and we focus on security research in multiple area. One of them is exploits against users who browse the web – what type of exploits and malicious attacks in general are delivered over the web when people browse and access certain websites. That’s also when we came across this zero day during our ongoing research.
How does the vulnerability manifest itself?
The vulnerability is in Internet Explorer version 8. It allows remote execution by creating a maliciously crafted website. It was unknown at the time of our discovery with no patch available at that time. After investigating it, since the exploit code looked unfamiliar, we contacted Microsoft and they confirmed within hours that it is a zero day – it’s an unknown vulnerability.
What is the geographical location of the exploit?
The web server is actually in the US, however the exploit code was limited to users from Japan and Korea. That’s quite typical of attackers. They would like to go undiscovered for as long as they can.
And since many of the analysis systems run from other countries, such as Europe or the US, limiting the serving of the exploit to other geographies means they can go undetected for a longer period of time.
Content from our partners
How serious is this particular vulnerability and how common are they?
As more and more people install the patch the effectiveness of the exploit will decrease. However, as we all know, some people do not install patches. Every time they’re asked to download patches, they don’t necessarily do it. Also, people might install new systems that aren’t fully patched, therefore there will always be some portion of computers that aren’t patched against vulnerability. So attackers may still use it in the future.
A couple of vulnerabilities were discovered in Internet Explorer in the past two years. None of them were exploited in the wild. I think there have been maybe half a dozen vulnerabilities exploited in the wild so it doesn’t happen that often.
What can people do to ensure that they don’t fall victim to this kind of malware?
First of all, stay fully patched. That, of course, will protect them against exploits of known vulnerabilities but not against exploits of unknown vulnerabilities. They should be very careful about the websites they browse to. Any suspicious emails or instant messages should be followed up on. People should use their own ‘Favourites’ tool, or bookmarks, or type address themselves rather than clicking links in suspicious emails. If they are at work it’s always recommend to use additional protection software such as a secure gateway that scans the traffic and looks for malicious content.
What kind of security threats should we been keeping an eye on over the coming year?
There are many different vectors but for the web vector, while people browse the web, the focus of many of the attacks is actually not on the browser. It’s more on the plugins. Browsers have been hardened and undergone a phase of testing so it’s becoming more and more difficult to find vulnerabilities there, even though Microsoft still patches vulnerabilities for Interne Explorer every month.
The attacks focus more on plugins like Java, Adobe Reader plugin for PDF files, flash files and other such formats. Java, in particular, has been a very successful vector for attacks during the last few years. It’s a complex piece of software that attackers manage to find multiple ways to overcome and run malicious code. We’ve seen at least five to 10 zero days in Java being exploited in the wild few years. Unfortunately, many people still install the Java plugin even though they don’t need them. Only certain business applications require Java, For many other people who don’t use those applications Java is not needed at all.
About two weeks ago it became known that hackers broke into Adobe and stole source code from Adobe. One of the affected software was Adobe Acrobat. They have a plugin, which is installed on many computers out there because PDF files are so popular. It’s possible that hackers who got access to the source code will now use it to look for new, unknown vulnerabilities. It’s much easier for them once they have access to the source code. If they’re successful we can expect more exploits, so these would be malicious PDF files that will include zero day and will probably even work on fully patched machines.
