back to article Fiendish Internet Explorer 10 zero-day targets US soldiers

Cyberspies have used an unpatched vulnerability in Internet Explorer 10 in an exploit which appears to target US military personnel. Among three high-priority updates in the most recent Patch Tuesday (11 February) was a cumulative fix for Explorer which addressed a whopping two dozen different memory corruption vulnerabilities …

COMMENTS

This topic is closed for new posts.
  1. Charles 9

    I'm curious to know how the exploit is defeating both ASLR and DEP. Is the code using a JIT Spray or something else?

    1. diodesign (Written by Reg staff) Silver badge

      Re: Charles 9

      It's quite clever and naughty. It works kinda like this. You use a use-after-free() bug to perform an arbitrary write to fiddle with values in allocated structures - such as deleting a terminating byte or increasing the length of the object. This allows you to access memory you shouldn't. Eventually you'll be able to calculate where the OS has placed libraries and such things in memory using ASLR.

      Now you know where things are, you can link together short sequences of machine code in the known objects to build up your attack code and execute it. This gets you around DEP; it's called Return Orientated Programming (ROP). Google it and spend a weekend having fun with it :-)

      C.

      1. pacman7de
        FAIL

        ASLR Bypass Apocalypse ..

        @diodesign: "It's quite clever and naughty. It works kinda like this. You use a use-after-free() bug to perform an arbitrary write to fiddle"

        If such security mechanisms were done in hardware, wouldn't they actually work, as in the OS would not have write access to the data structures. There would be two systems, the main one running the apps, and the security system monitoring the main one. Similar to how burglar alarms are designed, a main one monitoring the doors-and-windows, and a second one monitoring the main alarm circuit, to detect attempted compromises of the main one.

        1. Charles 9

          Re: ASLR Bypass Apocalypse ..

          So how do they keep the INNER circuit from being directly attacked. IOW, who guards the guards' guard? Similarly, wouldn't the malware writers simply target the hardware directly, which HAS happened, as BIOS/EFI exploits can attest.

  2. Anonymous Coward
    Anonymous Coward

    If it only affects IE then I've been safe since 2008.

  3. Anonymous Coward
    Anonymous Coward

    Maybe

    Maybe it was just a backfire, an NSA concoction that accidentally went the wrong way?

    1. Anonymous Coward
      Anonymous Coward

      Re: Maybe

      >Maybe it was just a backfire, an NSA concoction that accidentally went the wrong way?

      That would explain "clod security".

      1. Wzrd1 Silver badge

        Re: Maybe

        More like a PRC or RBN attack.

        The NSA has all of the credentials of US DoD users.

        Of course, the VFW isn't a US DoD organization, it is a veterans organization.

  4. eulampios

    if it were for Mozilla or Google

    that would have been fixed by now.

    1. Anonymous Coward
      Anonymous Coward

      Re: if it were for Mozilla or Google

      I can't find any figures for 'Mozilla' But IE has a much lower average time at risk and far fewer security vulnerabilities than the Chrome browser....

      1. eulampios

        @AC

        How is that possible for MS to be faster with a scheduling it Tuesday every month? It would be interesting to see the analysis of the average time before fix. However, according to wikipedia, FF in 2006 was much faster in fixing than was IE , while having less security vulnerabilities than the latter. I also remember a few incidents on pwn2own, when both Mozilla and Google had patched their flaws almost immediately after the competition was over, while it took more than a month for MS to do a similar task.

        As of the exploited vulnerabilities in the wild, Chrome was has yet to be mentioned, it's primarily MS IE that is exploited. On top of that, Firefox got the noscript plugin that makes overwhelming majority of exploits virtually useless.

        It should also be emphasized, that the exploits both working exploits and exploits in the wild have been demonstrated on the MS Windows, not GNU/Linux, Android, FreeBSD etc. So, MS has to be born in mind and always mentioned as a responsible party.

        1. Anonymous Coward
          Anonymous Coward

          Re: @AC

          Just because Google and Mozilla were able to fix specific problems associated with pwn2own with their browsers faster than MS was, doesn't mean that the problems were of the same complexity. It also doesn't mean that Google and Mozilla tested their fixes with the same amount of hardware/software combinations to make sure that they worked. It also doesn't mean that those fixes were stable and not rush jobs.

          I'm not saying that MS did those things, but that company X fixes a problem with their browser faster than company Y doesn't even scratch the surface of what each company did to make the fix.

          1. eulampios

            Re: @AC

            ... but that company X fixes a problem with their browser faster than company Y doesn't even scratch the surface of what each company did to make the fix.

            Since IE is a fully proprietary software, don't even guess what they are trying to do. Even Google's Chrome get their patches surfaced in the free Chromium.

            Dear AC, you said that MS is faster to fix security bugs on IE than Google is on Chrome. You didn't provide any links for this allegation. I mentioned a few cases where MS was very slow. So are getting any links or not?

            It also doesn't mean that Google and Mozilla tested their fixes with the same amount of hardware/software combinations to make sure that they worked.

            Neither does it mean the converse. Should I be reminding you that Mozilla's Firefox and Google's Chrome run on the much wider scope of hardware and operating systems?

            In general, MS takes too long to fix bugs and still get into trouble, say, when a few Windows systems wouldn't boot after a kernel patch. No, it's not the problem of those who patch it, it's the fundamental problem of the OS underpinning going against the modularity principle. AMOF, a faulty kernel update on a GNU/Linux system could easily be circumvented by booting into the old kernel. Sorry to break your Redmondian bubble.

            1. Anonymous Coward
              Anonymous Coward

              Re: @AC

              It's two different ACs, btw.

              I suggested that taking examples of random /different/ bugs an using them to illustrate better or worse patching prowess on behalf of the organisations fixing the bugs is not exactly watertight by means of a comparison.

              Your response: It doesn't mean it isn't though.

              Oh and as a very long term Linux user (and, yes MS and UNIX and various others) - the theoretical ability to boot into another kernel version is great except when your last update makes changes which render all the previous versions of the kernel un-bootable, which seems to have happened to me several times using Ubuntu/mythbuntu based builds.

              You need to get rid of the Lunix is ace/MS sucks attitude which flows through your posts because it holds back the FOSS movement as a whole. Linux is excellent at some things poor at others, the same for Windows. They can be used to very great success together when complementing each other's strengths.

              1. eulampios
                Linux

                theory vs. practice, @ the 2nd AC

                the theoretical ability to boot into another kernel version is great except when your last update makes changes which render all the previous versions of the kernel un-bootable,

                Sorry about that AC, can't recall it happening to me, actually.

                So for me it's both practical and theoretical advantage, while missing in the MS Windows.

                In your case, what could that be GRUB is pretty hard to break,

                -- unless you updated/changed a proprietary video driver, but it's still bootable into mesa or a console non-X.

                -- or you/update messed up with your configs, updates rarely (never happened to me), in case you did it, it's not the fault of the OS. And, it's still fairly easy to fix it by booting into a recovery mode (one user env) or a live system.

                I suggested that taking examples of random /different/ bugs an using them to illustrate better

                I've done it for you, pwn2own wasn't random enough for you? My perception was that Google has been super-fast, while MS does it ... on Tuesdays every month. On the other note, Chrome has yet to be compromised in the wild, unlike a popular target IE.

                Lunix is ace/MS sucks attitude which flows through your posts because it holds back the FOSS movement as a whole.

                Sorry, no it doesn't depend on me it depends on MS. BTW, holding back the FOSS movement, or rather using predatory practices and dirty tactics is one big thing. Sucking in the IT sense is a very different one. Say, Apple got the first one and many people despise them equally ( while Oracle got... Larry to join this very good company). In my opinion, MS deserves every beating and derision it receives for the both. No, it's all up to MS to not suck, I am afraid.

        2. Anonymous Coward
          Anonymous Coward

          Re: @AC

          "How is that possible for MS to be faster with a scheduling it Tuesday every month"

          Microsoft do sometimes release out-of-band fixes for high risk and actively exploited issues. For instance the recent Flash hole. But in the enterprise - the regular scheduled approach is in general much better overall than the 'at random' exposure of new attacks by releasing new patches without notice. Also Microsoft often manage to patch vulnerabilities before they are otherwise known - making the time at risk for those zero.

          IE has a 75% market share of PC users, so you would expect it to be be far the primary exploit target.

          "that the exploits both working exploits and exploits in the wild have been demonstrated on the MS Windows, not GNU/Linux, Android, FreeBSD etc"

          For this issue maybe, but there certainly have been previous exploits that have rooted Android via the browser, and recent malware that has sucessully attacked OS-X / Linux via the browser: http://siliconangle.com/blog/2014/01/29/new-java-based-malware-can-infect-windows-mac-os-x-and-linux-systems/

          1. eulampios

            Re: @AC

            IE has a 75% market share of PC users

            According to various statistics IE's market share fluctuates around 25%. Not sure where did you get the 75% number. It's pretty unlikely, if the 25% estimate is correct since Firefox, chrome et al are also counted for PC users.

            but there certainly have been previous exploits that have rooted Android via the browser,

            Links please, or do you mean a browser/Android exploit together with the privilege escalation exploit of the Linux kernel can render that. That is theory, a possibility, yet it doesn't mean it had been ever demonstrated.

            hat has sucessully attacked OS-X / Linux via the browser

            So again, you're trying to make it sound like it had happened.

            Potential, yet a very unlikely situation. Did you follow our own links and saw that this java trojan would write itself /etc/init.d? How well do you know Linux-based systems to run web browsers as root?

            A java browser plug-in exploiting a patched java vulnerability?

            I am not using java plug-in, even most people don't use it nowadays (FF turns it off by default). JS is more of headache due to a much heavier use, FF's user are still more safe with noscript...

            1. Anonymous Coward
              Anonymous Coward

              Re: @AC

              "According to various statistics IE's market share fluctuates around 25%"

              Nope - it is at about 60% of desktop users globally http://netmarketshare.com/

              (~75% is the US market share of desktop users for IE...)

              1. eulampios

                @AC, look at other more consistent figures

                This is great discrepancy with pretty much every other source Look at this numbers . According to it currently, IE holds about 20%, while Chrome more than 40%.

            2. Anonymous Coward
              Anonymous Coward

              Re: @AC

              "Links please, or do you mean a browser/Android exploit together with the privilege escalation exploit of the Linux kernel can render that. That is theory, a possibility, yet it doesn't mean it had been ever demonstrated."

              It has been demonstrated numerous times:

              http://www.technologyreview.com/news/524631/browser-exploit-for-android-highlights-googles-update-problem/

              https://threatpost.com/researcher-publishes-android-browser-exploit-110810/74650

              And the earlier get root methods involved just visiting a website...

              "Did you follow our own links and saw that this java trojan would write itself /etc/init.d"

              Sure - but Linux has historically had some of the highest vulnerability counts of any OS (approaching 1,000 known holes in the kernel alone), so finding an escalation vulnerability to go with it isnt likely going to be so hard....

              1. eulampios

                Re: @AC

                None of your links talk about successful exploitation of getting a root. The first of them does mention an escape from the sandbox on the browser (very old one, applicable only to devices prior to Android 2.2) AMOF, MS Windows had no mandatory app sandbox mechanism (at least until Windows 8). So, again nothing specific.

                Sure - but Linux has historically had some of the highest vulnerability counts of any OS (approaching 1,000 known holes in the kernel alone)

                So, what is counted? Without weighing severity of each bug, one cannot say just by looking at the number. Does it apply to ALL versions of Linux, all or most generic configurations, architectures or not? You see you apply the monolithic Microsoft measure to this. MS kernels or whatever they call kernel cannot be configured in many gazillions ways with various options (like built into or as separate etc module). There is many more architectures and so many more current and extant versions of Linux kernel out there than for any other OS. Heterogeneity of Linux distros and Linux kernels diminishes that number substantially.

  5. Mark Simon

    This should be a non-issue!

    Nobody needs to run IE any more, especially if you’re sitting on top of the sort of technology which the US military is supposed to have.

    Everything they say about military intelligence is true …

    1. Wzrd1 Silver badge

      Re: This should be a non-issue!

      Everything said about comentards is true.

      The Veterans of Foreign Wars is not a US DoD organization, it is a veterans organization. It started and remains a civilian organization whose singular requirement for full membership is being a veteran of a foreign war as part of the US Armed Forces.

      Hence, you've proved your ignorance for all the world to see, as has the author of this article by the idiotic headline.

    2. Anonymous Coward
      Anonymous Coward

      Re: This should be a non-issue!

      "Nobody needs to run IE any more"

      The other main option Google Chrome has historically had far more security holes than IE and is far harder to manage distributed policy for in a Windows environment. Plus the vast majority of Enterprise software is primarily supported against IE.

  6. Mikel

    Hey

    At least this time it wasn't Office.

  7. MrDamage Silver badge

    Once more time for the dummies.

    Flash = Bad

    IE = Bad

    Flash + IE = URPWNED

    Note: Whilst I admit neither Chrome nor Firefox are without fault, at least you can mitigate the potential damage by using more secure versions of them, like Dragon, and IceDragon from Comodo.

This topic is closed for new posts.

Other stories you might like