Patch Promised for Flaw Allegedly Exploited by ‘DarkHotel’ APT Gang
Microsoft says it’s prepping a patch to fix a memory corruption flaw in multiple versions of Internet Explorer that is being exploited by in-the-wild attackers.
In a security alert issued on Friday, Microsoft says the vulnerability – designated CVE-2020-0674 – is present in IE9 running on Windows Server 2008, IE10 running on Windows Server 2012 and IE11 running on Windows 7, 8.1, RT 8.1, 10 and Server 2019, among other operating systems.
Microsoft warns that the flaw is already being exploited in “limited, targeted attacks.” It’s issued no timeline for when a patch will be published, although it notes that it prefers to release security updates on the second Tuesday of every month, as part of its monthly “Patch Tuesday” batch of fixes. Hence Feb. 11 seems a likely date for a security update to appear.
The flaw, which exists in a scripting engine built into Internet Explorer, could be exploited by attackers to remotely execute code of their choosing, Microsoft says. “An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” it says. “If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Security Advisory – Microsoft Guidance on Scripting Engine Memory Corruption – for more information please visit: https://t.co/C3W9Y6saTu
— Security Response (@msftsecresponse) January 17, 2020
One attack scenario involves targeting users via phishing attacks. “An attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email,” Microsoft says.
The flaw poses a “moderate” risk for servers, and a “critical” risk for all other affected systems, Microsoft says. Critical means the flaw can be remotely exploited to take full control of a vulnerable system.
Not all IE users appear to be at risk. “By default, IE11, IE10, and IE9 uses Jscript9.dll which is not impacted by this vulnerability,” Microsoft says. “This vulnerability only affects certain websites that utilize jscript as the scripting engine.”
Mitigation: Restrict ‘JScript.dll’
Any site at risk from the flaw can “restrict access to JScript.dll,” Microsoft says, to mitigate the risk that it will be exploited. But Microsoft warns that any such mitigations must be rolled back before attempting to install future security updates, and also that restricting the functionality might break other processes.
Windows Server devices are not, in their default settings, at risk. “By default, Internet Explorer on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 runs in a restricted mode that is known as Enhanced Security Configuration, Microsoft says in its alert. “Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted web content on a server. This is a mitigating factor for websites that you have not added to the Internet Explorer Trusted sites zone.”
First Exploits May Trace to ‘DarkHotel’
Chinese security research firm Qihoo 360, in a Chinese language report, says the vulnerability appears to be getting exploited by DarkHotel, an advanced persistent threat group that focuses on “China, Russia, Japan and other countries.”
DarkHotel – so called because the group has appeared to follow targets from hotel to hotel as they traveled around the world by compromising the networks of their lodgings – is also known as Fallout Team and Tapaoux. The group, which appears to have been in existence since at least 2007, has practiced spear-phishing attacks as well as gaining physical access to devices, experts say.
Kaspersky has previously noted that the group has regularly hacked diplomatic targets, as well as organizations that have “strategic commercial interests” – ranging from electronics and pharmaceuticals firms to private equity institutions and automotive manufacturers – in the Asia-Pacific region.
Some security firms have said the group appears to have ties to South Korea (see: Darkhotel APT Gang Taps Flash Flaw).
Windows 7 Patch Being Prepped?
Microsoft’s security alert about CVE-2020-0674 lists Windows 7 – as well as Windows Server 2008 and 2008 R2 – as at-risk operating systems. Their inclusion is notable, because on Tuesday, Microsoft released its last set of regular, monthly security updates for those operating systems, saying that they were no longer being supported. Even so, market researchers estimate that up to one-third of all Microsoft systems in the wild remain Windows 7. And Qihoo 360 reports that in China, Windows 7 may command close to a 60 percent market share, with the user base encompassing not only businesses but also government agencies and the military (see: Windows 7: Microsoft Ceases Free Security Updates).
Microsoft didn’t immediately respond to a request for comment about whether it is prepping CVE-2020-0674 patches for any no-longer-supported operating systems.
But Microsoft’s inclusion of Windows 7, Windows Server 2008 and 2008 R2 on its list of vulnerable operating system versions suggests that the company plans to issue CVE-2020-0674 patches for those versions of Windows.
Flaw Found by Google and Qihoo 360
Credit for finding the flaw, Microsoft says, goes to Clément Lecigne of Google’s Threat Analysis Group as well as Ella Yu from Qihoo 360.
Google’s Threat Analysis Group has previously numerous flaws to software makers, including not only Microsoft but also Apple (see: Apple Update: Drop Everything and Patch iOS).
Likewise, Qihoo 360 has previously discovered and reported a number of vulnerabilities to Microsoft, including a zero-day flaw in older versions of Windows that Microsoft patched in September 2019 (see: Microsoft Patches 2 Windows Flaws Already Being Exploited).
“In 2019, Clément also discovered a pair of zero-day vulnerabilities exploited together in the wild in Google Chrome (CVE-2019-5786) and Microsoft Windows (CVE-2019-0808), as well as a zero-day memory corruption vulnerability in Internet Explorer exploited in the wild (CVE-2019-1367),” says Rody Quinlan, a research engineer in security firm Tenable’s security response team, in a blog post.
“Earlier this month, Qihoo 360 was credited with discovering a zero-day vulnerability in Mozilla Firefox exploited in the wild in targeted attacks. At the same time, reports emerged that Qihoo 360 also discovered an Internet Explorer zero-day based on a now-deleted tweet” – as ZDNet reported at the time. “No information was available at that time, but it appears that this was the vulnerability that had been referenced.”