Security researchers announced yesterday they had separately discovered flaws in Microsoft’s Internet Explorer and Apple’s iOS operating system that could allow attackers to take over machines running either software.
The iOS flaw is serious, but so far is only known to have been exploited by Roman Digerberg, the GPS application programmer who discovered it.
The Internet Explorer 10 flaw, on the other hand, was discovered by security firm FireEye as a functioning exploit being downloaded covertly from the compromised Website of a large U.S. veterans organization.
The exploit, discovered by FireEye on the compromised home page of the Veterans of Foreign Wars, attacks a zero-day flaw in Microsoft Internet Explorer 10 that allows an attacker to change a single byte of memory at an arbitrary address, according to security firm FireEye, which posted a warning of the exploit and analysis in a blog post Feb. 13.
Attackers are exploiting the previously unknown flaw to avoid Windows security procedures designed to keep unauthorized code from executing or accessing the computer’s main memory. FireEye has nicknamed the attack “Operation SnowMan,” and said it began by compromising security at VFW.org and adding an iframe at the top of the site’s own HTML that will load in the background a second page containing HTML/Java code, which in turn launches a Flash object that runs the rest of the exploit.
The malicious Flash code overwrites a flash object already in the system’s memory – bypassing Windows’ address space layout randomization (ALSR), which assigns memory locations to code objects randomly, making it difficult for attackers to know where their code will run, according to an ArsTechnica story on the attack.
The Flash object uses that bit of owned memory to launch a return-oriented programing (ROP) exploit that avoids the need for authorization from Windows’ data execution prevention (DEP), then downloads a file containing the rest of the malware payload, according to FireEye.
The vulnerability exists in Internet Explorer 10, but not in IE II or on versions of IE 10 reinforced by Microsoft’s Experience Mitigation Toolkit (EMET), which is designed to stop bits of software acting suspiciously even without having been flagged as malware. “Installing EMET or updating to IE 11 prevents this exploit from functioning,” according to FireEye.
“Microsoft is aware of limited, targeted attacks against Internet Explorer 9 and 10,” Microsoft told Ars Technical in an email the night of Feb. 13. “As our investigation continues, we recommend customers upgrade to Internet Explorer 11 for added protection.”
Meanwhile, Apple has still not responded to reports of the zero-day flaw discovered accidentally by Swedish programmer Roman Digerberg, who accidentally sent a message to his iPhone while writing a program in C# for his GPS tracker, according to the Swedish edition of TechWorld.
The previously unknown flaw iOS security is a “monster” that allowed him to take over the voice mail, text messaging and call logs of iOS devices, or even lock them up completely, after taking over and manipulating the message structure within his iPhone, according to a description in the U.K.’s Daily Caller.
The first result was the ability to send an unblockable text message to an iPhone’s lock screen, even if the user had turned off the option to show text messages on the lock screen first.
The same opening gave Digerberg control over the voice mail indicator on the home screen, allowing him to hear, change or erase the voice mails displayed, and to lock the current user out of the phone completely, a move that requires a factory-reset to reverse, Digerberg said.
The programmer told TechWorld he’d tried to notify Apple by phone and by email, but got no response. He called the Swedish TechWorld to get the word out after Apple showed no interest. He said he had been approached by companies interested in using the exploit to send unavoidable advertising messages to iPhone lock screens, but has so far refused.
“Some people think that I should start a pay service online where you can anonymously send different types of messages,” Digerberg told Techworld Sweden. “You can imagine what chaos there would be if people start sending unwanted and unavoidable messages to each other and make changes in each other’s phones.”