More than a month after it was disclosed, Microsoft has patched a zero day in Internet Explorer that was used in a campaign that targeted security researchers in recent months.
The flaw affects IE 11 and Microsoft Edge and allows remote code execution on all of the affected platforms, which include Windows Server, Windows 10, Windows 8.1, and Windows 7. Researchers at Enki, a Korean firm, discovered the vulnerability and published details of it in early February. The discovery came when attackers sent them an MHTML file that included exploit code for the flaw, which was unknown at the time.
“An attacker could host a specially crafted website designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. The attacker could also take advantage of compromised websites, or websites that accept or host user-provided content or advertisements, by adding specially crafted content that could exploit the vulnerability,” Microsoft said in the patch release Tuesday.
“However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.’
The attempted attack on the Enki researchers was part of a broader campaign that went after security researchers for several months in 2020 and early 2021. The campaign was attributed to a group in North Korea and included the use of social media accounts and research blogs to help establish credibility and requests for help or research assistance to legitimate researchers.
“After building their reputation across their established social media accounts, the actors started approaching potential targets on social media platforms such as Twitter and LinkedIn. The conversations were often seemingly innocuous, asking security questions or talking about exploit techniques. If the researcher was responsive, the actor would offer to move communication to another platform (e.g., email, Discord) in some cases to then send files using encrypted or PGP protected ZIPs,” Microsoft’s Threat Intelligence Team said in a report on the campaign on Jan. 28.
When the IE flaw was disclosed, MIcrosoft said it was investigating the report, but did not provide any further public information until the patch release Tuesday.