Microsoft Patches Zero-Day Flaw Used by Malvertising Gangs

Anti-Malware , Application Security , Technology

Vulnerability Has Been Exploited Since at Least January 2014 Microsoft Patches Zero-Day Flaw Used by Malvertising GangsPhoto: Julien Gong (Flickr/CC)

For anyone who's using an unsupported version of a Microsoft operating system or browser - including Windows XP, Windows Server 2003 and Internet Explorer version 8 or earlier - please look away now.

See Also: Protecting Your Assets Across Applications, Services and Tiers

For everyone else, it's time to update Windows to patch a slew of serious flaws.

On Sept. 13, Microsoft issued 14 security updates as part of its latest round of monthly patches, of which seven fix "critical" security flaws that could be remotely exploited by attackers to take full control of a Windows system.

The critical updates fix flaws in IE versions 9 to 11 and the Edge browser, as well as Microsoft Office, Microsoft Graphics Component, Microsoft Exchange Server and VBScript Scripting Engine. Microsoft is also continuing its practice of shipping fixes for Adobe Flash Player, which has its own set of critical flaws that attackers could exploit to take complete control of a system by serving users malicious Flash content.

Needless to say, many of those same flaws exist in older, "unsupported" versions of Microsoft Windows and IE but will see no fixes. As a result, users of that software are at dramatically increased risk of seeing their systems get exploited via the flaws - some of which can be used to take control of a system without any user interaction - once attackers reverse-engineer Microsoft's code updates.

The Microsoft Graphics Component flaw, for example, could be used by attackers to remotely execute any code on a Windows 10 system, provided they can trick a user into visiting a malicious website or opening a malicious document.

Malvertising Firms Target Windows Users

Another one of the flaws being fixed is a zero-day vulnerability that's been exploited by attackers for more than two years. The flaw, CVE-2016-3351, exists in the IE and Edge browsers, and is being actively exploited by the malvertising groups known as AdGholas and GooNky.

French security researcher Kafeine, who works with security firm Proofpoint, says in a blog post that he helped alert Microsoft to the related flaw in 2015. But it wasn't until Proofpoint and Trend Micro again warned Microsoft about the flaw this year, he says, that the software giant committed to prepping a fix.

Kafeine says that recent research has found that the flaw has been exploited in the wild since at least January 2014 as part of a "massive ... malvertising operation," adding that it shows how "threat actors are increasingly exploiting non-critical bugs and low-level vulnerabilities that may remain unpatched for months or years at a time."

The groups appear to have covered their tracks well, staying off security researchers' radar for more than two years despite serving malvertising to up to 5 million users per day. "Avoiding researchers and their virtual machines and sandboxes relied on exploiting an information disclosure zero-day in Microsoft Internet Explorer/Edge, among other techniques," Kafeine says. In addition, attackers employed "the first documented use of steganography in a drive-by malware campaign," as well as sophisticated filtering, to ensure that they only infected desired systems.

Steganography refers to the practice of hiding attack code in plain sight, for example inside an image file.

CVE-2016-3351 was exploited by AdGholas and GooNky Malvertising Groups https://t.co/dqK0vMjFsM cc @brooks_li @Jspchc pic.twitter.com/8IpCDmbCqA

Beware Vulnerable Detours

Microsoft's September security fix for Microsoft Office includes a patch for code-hooking flaws discovered by security firm enSilo.

The security firm says the flaws appear to have existed in Microsoft's commercial hooking engine Detours for nearly a decade. In recent months, enSilo said it notified numerous security vendors - including AVG, Avast, BitDefender, Citrix, Emsisoft, Webroot, Symantec, Kaspersky Lab and Trend Micro - about the vulnerability and that all of those vendors, at least, had patched their systems.

"'Hooking' techniques enable products to monitor and/ or change the behavior of operating system functions," says Udi Yavo, CTO of enSilo, noting that such capabilities are used to provide everything from virtualization and sandboxing to performance monitoring and anti-malware scans. But those same capabilities could be abused to "allow an attacker to easily bypass the operating system and third-party exploit mitigations" and exploit systems while remaining undetected.

Yavo warns that Detours is integrated into thousands of different products, including Microsoft Office, and that all of these products will have to be recompiled by developers, and users will have to install related updates. To help identify vulnerable applications, enSilo has released a free Captain-Hook, a.k.a. "FindADetour," tool via code-sharing site GitHub that can be used by security teams to test software and see if it includes a vulnerable version of Detours.

Fresh Flash Flaws

Also on Sept. 13, Adobe released a trio of security updates that fix flaws in Adobe Flash, AIR and Adobe Digital Editions, which is an e-book viewer.

Given the number of critical flaws in Flash that have been patched in recent years on a near-monthly - or more frequent - basis, computer users might be forgiven for thinking that there was nothing left to fix in the Flash code base.

But they'd be wrong.

In fact, security experts say that anyone who has not already installed the latest fix for Flash is a sitting duck. The related update, APSB16-29, "fixes a whopping 29 vulnerabilities" in versions of Flash that run on Windows, Mac OS X, Linux and ChromeOS, says Amol Sarwate, director of the Vulnerability Labs at security firm Qualys, in a blog post.

The Flash bugs - including integer overflow, memory corruption and use-after-free flaws - "could potentially allow an attacker to take control of the affected system," Adobe warns, for example, if attackers trick a browser user into viewing malicious Flash content.

"It's interesting to note that all issues found in the Flash advisory were found by third-party researchers," Sarwate says. "As Flash is targeted by many exploit kits, we recommend you patch immediately."

Alternately, uninstall Flash on the grounds that it's an attack magnet, and exploit toolkits regularly push updates to automatically exploit the latest Flash flaws, sometimes before users have updated their software.