IE Zero Day is Used in DoL Watering Hole Attack

Similar to what we found before in a series of watering hole attacks, targeting CFR and Chinese Dissidents,  zero-day and just patched vulnerabilities were used. In the latest watering hole attack against Department of Labor (DoL), our research indicates a new IE zero-day is used in this watering hole attack, although some other vendors claim they are using known vulnerabilities.

This particular exploit checks for OS version, and only runs on Windows XP. We are able to reproduce the code execution and confirm it’s a working zero-day exploit against IE8. During our research we also found the exploit constructs a ROP chain on non-ASLRed msvcrt.dll, and we verified it could also work against IE8 on Windows 7. So we believe there should be some other exploits targeting IE8 on Windows 7.

This post was intended to serve as a warning to the general public. We have notified Microsoft and are collaborating with them on research activities. We will continue to work with Microsoft on this in-the-wild discovery.

We will continue to update this blog as new information about this threat is found.  FireEye would like to acknowledge and thank iSight Partners for their assistance in this research.

[Update 05-03-2013]: Microsoft release a security advisory and assigned CVE-2013-1347 to this issue.

[Update 05-09-2013]: Microsoft release a Fix it Solution for CVE-2013-1347.