Zero-day vulnerability in Microsoft Internet Explorer

Security bypass
CVE-2015-0071

Allegedly, Chinese hackers combined it with a remote-code execution vulnerability in Adobe Flash to infect visitors to the Forbes website with malware since November, 2014.

Known malware:

JS:CVE-2015-0071-A.

Vulnerability details

Advisory: SB2015021001 - Multiple vulnerabilities in Microsoft Internet Explorer

Vulnerable component: Microsoft Internet Explorer

CVE-ID: CVE-2015-0071

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:H/RL:O/RC:C

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Description:

The vulnerabiity allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to failure to use Address Space Layout Randomization (ASLR). A remote attacker can create a specially crafted Web site, trick the victim into visiting it, bypass ASLR mechanism and predict memory locations that if connected with another vulnerability allows to execute arbitrary code.

Successful exploitation of this vulnerability results in security bypass on the vulnerable system.

Note: the vulnerability was being actively exploited.

Known APT campaigns:

US Defense and Financial Services firms breach

The attack reffers to a Chinese actor group Codoso (according to iSIGHT Partners), Sunshop Group (according to FireEye).

External links:

https://technet.microsoft.com/library/security/ms15-009
https://cdn4.esetstatic.com/eset/US/resources/docs/white-papers/Windows_Exploitation_in_2015.pdf
https://www.symantec.com/security_response/vulnerability.jsp?bid=72455
http://blog.trendmicro.com/trendlabs-security-intelligence/bypassing-aslr-with-cve-2015-0071-an-out-...
https://www.invincea.com/2015/02/chinese-espionage-campaign-compromises-forbes/
http://www.theregister.co.uk/2015/02/10/patch_tuesday_release_fixes_unprecedented_zeroday_design_fla...
https://www.hackread.com/hackers-use-flash-and-ie-to-target-forbes-visitors/
https://arstechnica.com/security/2015/02/pwned-in-7-seconds-hackers-use-flash-and-ie-to-target-forbe...
http://www.securityweek.com/microsoft-patches-critical-windows-internet-explorer-vulnerabilities-pat...
http://www.threatgeek.com/2016/05/turbo-twist-two-64-bit-derusbi-strains-converge.html
https://www.scmagazine.com/forbescom-attackers-exploited-zero-days-in-flash-ie/article/536348/
https://arstechnica.com/security/2015/02/pwned-in-7-seconds-hackers-use-flash-and-ie-to-target-forbe...

About zero-day vulnerabilities

Zero-day vulnerability is an undisclosed vulnerability in software that hackers can exploit to compromise computer programs, gain unauthorized access to sensitive data, penetrate networks, etc. We consider vulnerability a zero-day when there is no solution provided from software vendor and the vulnerability is being actively exploited by malicious actors.

Zero-day candidate is a potential zero-day vulnerability in software which might have been used in targeted attacks, however there is no evidence to support this suggestion.