The zero-day flaw, which was affecting both Internet Explorer and Edge browsers, has finally been patched my Microsoft in security bulletins MS16-104 and MS16-105. The vulnerability has been used in a huge malvertising campaign, known as AdGholas, which was exposed by the Proofpoint security company last month.
Abusing this flaw, detected as CVE-2016-3351, crooks were able to go around security programs and security experts, who were investigating the malevolent ads.
Actually, the zero-day is an information disclosure vulnerability, which exposes details about the OS, via JavaScript call executed inside IE and Edge. This specific attack is also known as a “MIME type check.”
The zero-day allowed the cybercriminals to determine whether or not certain file extensions have been assigned to locally installed apps. The attackers use this information to see if file extensions, which are often used by reverse engineering software, are present on the potential victim`s computer.
If such extensions were found, the crooks could be pretty sure that the PC`s owner is a security engineer or that the PC is running a virtual machine or a sandboxed environment, where the malicious ad code was probably analyzed. In that case, the JavaScript redirections, responsible for the actual exploitation, would stop executing and drop the connection.
The files extensions, whose presence AdGholas is checking for, are the following by default: “.cap, .hwl, .har, .halog, .chls, .py, .bfr, and .pcap.”
According to the Proofpoint researchers, who uncovered the bug, said that is was also used to check if the victim`s default browser is IE. Moreover, the people behind the malvertising campaign were checking if common file extension like “.torrent, .mkv, or .doc” were assigned. If so, this is a clear sign that a real user is behind the PC, with other interests than analyzing software code.
This zero-day is thought to go way back to 2014. However, Proofpoint revealed that the AdGholas group had been around since 2013, and for the last year alone, it had managed to infect 1.5 million victims. Aside from AdGholas, the zero-day was also used in other groups` malvertising campaigns like GooNky.
Microsoft patched the zero-day in security bulletins MS16-104 and MS16-105.
