Microsoft today informed Zscaler Labs, via the MAPPs program, of a critical 0day vulnerability in Internet Explorer that is being used in targeted attacks to install a backdoor on vulnerable systems. The attacks are initiated via an email campaign which social engineers victims into visiting an otherwise legitimate website, which has been infected with the 0day exploit. The exploit was designed for Internet Explorer 6 and 7 (although IE 8 is also vulnerable) and the attack therefore first probes incoming requests to identify the browser type and only delivers the exploit to older versions of IE. Once infected, the victim machine then connects to a second server in Poland and downloads additional instructions, delivered in the form of encrypted .gif files. Although the websites used for both the initial infection and subsequent downloads have now been taken down, we fully expect other attack sites to emerge, especially now that this issue has been made public.
While Microsoft has issued a security advisory for this vulnerability and recommended workarounds, a patch is not presently available, and it is not known when one will be issued. In the meantime, Zscaler has deployed protections for this vulnerability, ensuring that Zscaler customers licensed for the Advanced Threat Protection service are shielded from attack without the need to take further action. We will continue to monitor the issue and provide additional protections as warranted. A preliminary analysis of Zscaler logs has not revealed any attacks on Zscaler customers to this point.
2458511 – Microsoft Security Advisory: Vulnerability in Internet Explorer Could Allow Remote Code Execution