A flaw in recent versions of Internet Explorer was used to attack visitors to a website for U.S. military veterans, and also appears to have been used earlier against French aerospace industry employees, researchers said Friday.
The flaw in Microsoft Corp's IE 10 Web browser was reported on Thursday, days after it was used inside the Web page of nonprofit U.S. group Veterans of Foreign Wars. The VFW said Friday that an unspecified federal law enforcement agency is investigating and that the malicious code on its site had been removed.
Security firm Websense Inc said it found similar attack code on a page set up on Jan. 20 with a Web address nearly identical to one used by a French aerospace association.
That suggests the attacks using the flaw have been going on for at least three weeks, but might have succeeded earlier against higher-value targets and escaped discovery, said Websense Director of Security Research Alexander Watson.
FireEye Inc, which discovered the VFW attack, said it appeared connected to previous attacks against the Japanese financial sector, security firm Bit9 and others that Symantec Corp security researchers attributed to a large and well-organized group in China. ()
The latest attacks are considered to be sophisticated as they rely on a previously unknown flaw of a sort that can cost $50,000 or more when sold by shadowy brokers to government agencies or contractors. The industry calls these flaws "zero-day vulnerabilities."
They also seem part of a multistage operation, with the attackers seeking to break into the computers of U.S. veterans or French defense contractors in the future. Once there, they could look
Although the initial report in the new campaign mentioned only IE 10, Microsoft said it had determined that IE 9 is also vulnerable.
"We recommend customers upgrade to Internet Explorer 11 for added protection," said Adrienne Hall, general manager of Microsoft's Trustworthy Computing Group.
Despite the use of the unknown flaw, Websense's Watson said the attacks were not that hard to spot. For one thing, a program that exploited the flaw was submitted on Jan. 20 to Virus Total, a free Google Inc service that shows whether any major antivirus provider would block the sample. In this case, none did. In addition, the programming language operated in the open, without complicated obfuscation that can deter analysis.
Watson said that was why he felt the attacks could prove to be by a new group, or even two different new groups. As