The team at Enki have discovered a vulnerability in Internet Explorer that has been used in campaigns targeting security researchers. The vulnerability has been exploited to use the browser’s render process to execute malicious code and exfiltrate data from the victim machine. It should be noted that this vulnerability stops in the low integrity sandbox, and in order to gain persistence on the machine another exploit must be chained to this attack. What is striking about this initial attack vector is the ease at which it executes. If unsuccessful with the more obvious approach where a user would need to check a popup box approving activity, the exploit can be deployed instantly from a malicious add hosted on a benign website. Phishing email message’s with links that redirect unsuspecting users to malicious web pages are all too common and successful.
This is a double free bug, triggered by JavaScript embedded in an MHTML file that is a default for Internet Explorer to handle. Microsoft developers will have to work to implement a permanent fix for full functionality of the portion affected. In the meantime, a free micro-patch has been released by the developers at 0patch.com. 0patch opted to forgo a more complex and riskier avenue towards mitigation, and instead decided to “break the obscure browser functionality that allows setting an HTML Attribute value to an object.”.
Analyst Notes
Actively exploited zero day vulnerabilities are regularly utilized attack vectors for APT groups and Ransomware groups. Vulnerabilities in web browsers are especially troublesome because they may require nothing more than the targeted person to click a link and visit a web page to trigger an exploit. At the time of writing, Microsoft has yet to address this vulnerability. It is imperative to have a data backup policy in place and contingency options available. Whitelisting application and filtering web traffic to block sites with low reputation scores will strengthen defense along with network segmentation to mitigate lateral movement. The strongest solution is to operate a 24/7 Security Operations Center (SOC), including threat hunting and active intelligence seeking out threats and abnormal user activity that could signal an intrusion.
https://blog.0patch.com/2021/02/remotely-exploitable-0day-in-internet.html
https://enki.co.kr/blog/2021/02/04/ie_0day.html# (Korean – English translation available on site)
https://insights.sei.cmu.edu/sei_blog/2020/10/network-segmentation-concepts-and-practices.html (Network Segmentation reference.)
