Neutrino exploit kit adds former IE zero-day flaw to its arsenal

Attackers seize on the work of vulnerability researchers to target unsuspecting users.

Neutrino exploit kit adds former IE zero-day flaw to its arsenal

The Neutrino exploit kit has seized a former zero-day vulnerability affecting Internet Explorer into its arsenal.

On May 10, Microsoft released a batch of security updates as part of its regular Patch Tuesday initiative. Included in that bundle was a fix for a vulnerability named CVE-2016-0189.

Screen shot 2016 07 18 at 11.01.41 am

CVE-2016-0189 is a scripting engine remote memory corruption vulnerability that affects Microsoft's Internet Explorer browser on Windows 10.

Earlier in 2016, attackers abused the zero-day bug to achieve remote code execution (RCE) on South Korean users' machines via phishing emails and/or watering hole attacks.

Their curiosity piqued by those exploits, a group of security researchers known as "the Plaid Parliament of Coding" analyzed the vulnerability patch and published proof-of-concept (POC) exploit code for CVE-2016-0189 on June 22nd under their new firm name Theori.io.

The Register notes that the disclosure represents an important hallmark of the information security community. Such transparency regarding vulnerability disclosure is celebrated among many security professionals for what it imparts to others.

The Plaid Parliament of Coding said as much in their analysis:

"We hope you enjoyed reading about constructing a '1-day' exploit from security patches. It is definitely a fun exercise to do, and sometimes gives you an insight about bugs & bug types that you haven’t looked at or considered."

Zdi blog image

Unfortunately, not everyone shared those same feeling.

Researchers at FireEye observed the Neutrino exploit kit had adopted the researchers' POC code into its arsenal shortly after the code went up on GitHub:

"In this example, Neutrino embedded exploits for five patched vulnerabilities: three for Adobe Flash Player (CVE-2016-4117, CVE-2016-1019, CVE-2015-8651) and two for Internet Explorer (CVE-2016-0189, CVE-2014-6332). CVE-2016-0189 is the newest addition to Neutrino’s arsenal."

Neutrino embedded all five of those exploits into a Shockwave Flash (SWF) file. Upon successful infection, the exploit kit uses that file to profile a user's machine for vulnerabilities and determine which flaws it should use to attack the system.

Fig1

The speed with which Neutrino adopted CVE-2016-0189 is a reminder for all users to implement software updates as soon as they become available.

It's also a sad reminder that full disclosure among security researchers can have unintended and unexpected consequences for ordinary users.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

No comments yet.

Leave a Reply