Thursday, 20 November 2014

First exploitation of Internet Explorer ‘Unicorn bug’ in-the-wild

Last week’s patch of a Microsoft Internet Explorer vulnerability allowing remote code execution, which had lain undiscovered for almost 20 years, has prompted significant interest among cyber-attackers. Earlier this week ESET researchers spotted the first proof-of-concept showing the “Unicorn Bug” in action.

Microsoft released a patch last week for a critical vulnerability allowing remote code execution in Internet Explorer. This vulnerability exploits an old bug present in Internet Explorer versions 3 through 11. This means that most, if not all, Internet Explorer users are vulnerable unless they are using patched systems. It gets worse: the vulnerability not only can be used by an attacker to run arbitrary code on a remote machine, but it can also bypass the Enhanced Protected Mode sandbox in IE11 as well as Microsoft’s free anti-exploitation tool, the Enhanced Mitigation Experience Toolkit.

Earlier this week, a proof-of-concept successfully exploiting this vulnerability on Internet Explorer was made publicly available. It showed that arbitrary code could be run on a machine merely by visiting a specially crafted website, if using an unpatched version of Internet Explorer. It was thus only a matter of time before we started seeing this vulnerability actively used as part of a cybercriminal campaign. Scouring our data, we found several blocked exploitation attempts while our users were browsing a major Bulgarian website. The exploit is detected by ESET as Win32/Exploit.CVE-2014-6332.A. As you might have guessed, the compromised website was using CVE-2014-6332 or the “Unicorn bug” to install malware on the computers of its unsuspecting visitors.

Since all supported versions of Windows were vulnerable to this exploit before the patch was released last week, we can expect this vulnerability conversion rate to be very high. If you haven’t updated Internet Explorer yet, please take time do it right now through Windows Update.

A detailed report on the new vulnerability can be found on ESET Ireland’s blog.