Incident Response, TDR, Vulnerability Management

Attackers leverage new IE zero-day in ‘Clandestine Fox’ op

A security firm warns that over a quarter of web browsers are likely vulnerable to zero-day attacks that take advantage of a recently discovered bug in Internet Explorer (IE).

Over the weekend, Microsoft alerted users that the vulnerability, affecting IE 6 through IE 11, had already been leveraged in “limited, targeted attacks,” against users. FireEye discovered the threat and disclosed information about the bug in a Saturday blog post, dubbing an ongoing campaign using the exploit, “Operation Clandestine Fox.”

FireEye noted that, in order to exploit the bug, an attacker would need to use an Adobe Flash exploitation technique, meaning the popular software would need to be enabled. Targeted attacks were specifically aimed at IE 9 through IE 11, the company said.

Microsoft has yet to release a patch for the issue, but the tech giant advised IE users to employ its Enhanced Mitigation Experience Toolkit (EMET) as a workaround for the issue, since the tool provides additional security layers that make the vulnerability harder to exploit, a Microsoft security advisory said.

The remote code execution vulnerability (CVE-2014-1776) “exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated,” the advisory said. “The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer.”

To exploit the vulnerability, an attacker could convince a user to view a specially crafted website rigged to exploit the flaw, Microsoft said.

In its blog post, FireEye further warned that versions of IE vulnerable to the threat accounted for over 26 percent of the browser market last year, according to data available at NetMarket Share.

On the advanced persistent threat (APT) group actively exploiting the vulnerability, FireEye said that the attackers were “extremely proficient at lateral movement” and “difficult to track, as they typically do not reuse command and control infrastructure.” The group has a track record of using IE zero-days to spread backdoors, which give them full access to victims' systems.

In a Monday blog post, Ross Barrett, senior manager of security engineering at Rapid7, said that the news of the IE zero-day also brings inevitable concerns for Windows XP users, as the software received its final fixes earlier this month on Patch Tuesday.

“Overall, this issue isn't all that different from any number of IE 0-days,” Barrett wrote. “We usually get three or four every year, except that it's the first in the post-XP world. All the more reason for users to move to modern, supported, operating systems where advanced mitigation techniques are available.”

In a follow up interview with, Barrett added that, while attacks are currently limited, users should take necessary precautions now, before exploitation becomes more widespread.

“[Limited, targeted attacks] probably means that one or two customers in their base have been impacted by the threat,” Barrett said of FireEye's findings. “But now that it's been so thoroughly disclosed, other people will adapt it.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.