14 DAY TRIAL // In this month’s cumulative set of updates for Internet Explorer, Microsoft patched the browser against a flaw that allowed attackers to glean information about Enhanced Mitigation Experience Toolkit (EMET) and other security products that were active on the affected system.
The vulnerability was exploited during a cyber-espionage campaign, dubbed Operation SnowMan by FireEye and carried out at the beginning of the year against American military personnel.
Attack stopped if EMET was active
Available in Internet Explorer 10, the flaw offered the possibility to check the protection solutions available on the compromised system. If EMET was detected, exploitation would be aborted.
The same would happen if the user browsed with a different version of Internet Explorer. Switching to a newer IE build or having EMET enabled was the recommendation of the experts for protecting against the attack.
Microsoft explained the risk of the bug in the security bulletin and said that “an information disclosure vulnerability exists in Internet Explorer which allows resources loaded into memory to be queried. This vulnerability could allow an attacker to detect anti-malware applications in use on a target and use the information to avoid detection.”
ActiveX control at fault
Attackers leveraged Microsoft.XMLDOM ActiveX control to enumerate local resources and determine the existence of local pathnames, intranet hostnames and IP addresses through scrutiny of error codes generated by loading of a one-line XML string pointing to EMET DLL.
In the security bulletin, Microsoft says that a perpetrator could gain the same rights as the logged-in user. As such, users with limited privileges would be less impacted than those with administrative rights.
An attack scenario provided by the company includes a compromised website rigged to exploit the vulnerability.
“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit this vulnerability,” Microsoft says.
Internet Explorer 6 through 11 receive security updates
Most of the glitches fixed with the cumulative updates eliminated the risk of remote code execution through different methods.
Potential attackers could exploit weaknesses to modify the way IE handled objects in memory, as well as add new permission validations to the web browser.
A good deal of the vulnerabilities were reported by Bo Qu of Palo Alto Networks, who disclosed to the company a total of 15 critical glitches, for all browser versions.