Neutrino exploit kit adds former IE zero-day flaw to its arsenal

David Bisson

Neutrino thumb 1

Neutrino exploit kit adds former IE zero-day flaw to its arsenal

The Neutrino exploit kit has seized a former zero-day vulnerability affecting Internet Explorer into its arsenal.

On May 10, Microsoft released a batch of security updates as part of its regular Patch Tuesday initiative. Included in that bundle was a fix for a vulnerability named CVE-2016-0189.

Screen shot 2016 07 18 at 11.01.41 am

CVE-2016-0189 is a scripting engine remote memory corruption vulnerability that affects Microsoft’s Internet Explorer browser on Windows 10.

Earlier in 2016, attackers abused the zero-day bug to achieve remote code execution (RCE) on South Korean users’ machines via phishing emails and/or watering hole attacks.

Their curiosity piqued by those exploits, a group of security researchers known as “the Plaid Parliament of Coding” analyzed the vulnerability patch and published proof-of-concept (POC) exploit code for CVE-2016-0189 on June 22nd under their new firm name Theori.io.

The Register notes that the disclosure represents an important hallmark of the information security community. Such transparency regarding vulnerability disclosure is celebrated among many security professionals for what it imparts to others.

The Plaid Parliament of Coding said as much in their analysis:

“We hope you enjoyed reading about constructing a ‘1-day’ exploit from security patches. It is definitely a fun exercise to do, and sometimes gives you an insight about bugs & bug types that you haven’t looked at or considered.”

Zdi blog image

Unfortunately, not everyone shared those same feeling.

Researchers at FireEye observed the Neutrino exploit kit had adopted the researchers’ POC code into its arsenal shortly after the code went up on GitHub:

“In this example, Neutrino embedded exploits for five patched vulnerabilities: three for Adobe Flash Player (CVE-2016-4117, CVE-2016-1019, CVE-2015-8651) and two for Internet Explorer (CVE-2016-0189, CVE-2014-6332). CVE-2016-0189 is the newest addition to Neutrino’s arsenal.”

Neutrino embedded all five of those exploits into a Shockwave Flash (SWF) file. Upon successful infection, the exploit kit uses that file to profile a user’s machine for vulnerabilities and determine which flaws it should use to attack the system.

Fig1

The speed with which Neutrino adopted CVE-2016-0189 is a reminder for all users to implement software updates as soon as they become available.

It’s also a sad reminder that full disclosure among security researchers can have unintended and unexpected consequences for ordinary users.

David Bisson David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.