The Neutrino Exploit Kit has found another way to diversify its repertoire of attacks. According to the recent news, the kit has improved its arsenal by adding one more weapon to it.
Neutrino Exploit Kit has adopted an already working exploit for CVE-2016-0189 of Microsoft’s Internet Explorer browser, the source code of which was already designed and published by an independent security researcher. The exploit allows the cybercriminals to execute a code by taking advantage of scripting engines vulnerability in Microsoft IE browser, as the purpose is a Remote Code Execution (RCE) to be achieved.
Apart from the above-mentioned, the new exploit is proven to affects IE browser on at least Windows 10 operating system, but there is a very good chance that the attackers could use it on earlier versions of Windows as well. The specialists` opinion is that Neutrino works by attaching many exploits to a single Shockwave Flash File. Once you download it and it is running on your computer, it will scan it for vulnerabilities and decide exactly which of its exploits to use in its attack.
A patch for this problem was released by Microsoft in May, this year, immediately after which a researcher known by the nickname Theori, published a blog analyzing the vulnerability himself and presenting his own source code. A very similar exploit was found shortly after in the newest version of Neutrino.
CVE-2016-0189, the vulnerability, was firstly exploited as a zero-day vulnerability during the attacks in Asia. It resulted due to a failure to put a lock on a series of the same size and type coding objects (array). Without this lock the array`s size value can easily be changed while another function is still running, causing a memory corruption.
While looking though the patched version on IE browser, Theori noticed that the lock on the array was recently introduced and he used this information to create a working exploit. Not long after the Neutrino developers pick up on it, hoping that not all of the IE users will download the patch.