The zero-day flaw, which was affecting both Internet Explorer and Edge browsers, has finally been patched my Microsoft in security bulletins MS16-104 and MS16-105. The vulnerability has been used in a huge malvertising campaign, known as AdGholas, which was exposed by the Proofpoint security company last month.
Abusing this flaw, detected as CVE-2016-3351, crooks were able to go around security programs and security experts, who were investigating the malevolent ads.
The zero-day allowed the cybercriminals to determine whether or not certain file extensions have been assigned to locally installed apps. The attackers use this information to see if file extensions, which are often used by reverse engineering software, are present on the potential victim`s computer.
The files extensions, whose presence AdGholas is checking for, are the following by default: “.cap, .hwl, .har, .halog, .chls, .py, .bfr, and .pcap.”
According to the Proofpoint researchers, who uncovered the bug, said that is was also used to check if the victim`s default browser is IE. Moreover, the people behind the malvertising campaign were checking if common file extension like “.torrent, .mkv, or .doc” were assigned. If so, this is a clear sign that a real user is behind the PC, with other interests than analyzing software code.
This zero-day is thought to go way back to 2014. However, Proofpoint revealed that the AdGholas group had been around since 2013, and for the last year alone, it had managed to infect 1.5 million victims. Aside from AdGholas, the zero-day was also used in other groups` malvertising campaigns like GooNky.
Microsoft patched the zero-day in security bulletins MS16-104 and MS16-105.