The Neutrino exploit kit has seized a former zero-day vulnerability affecting Internet Explorer into its arsenal.
On May 10, Microsoft released a batch of security updates as part of its regular Patch Tuesday initiative. Included in that bundle was a fix for a vulnerability named CVE-2016-0189.
CVE-2016-0189 is a scripting engine remote memory corruption vulnerability that affects Microsoft’s Internet Explorer browser on Windows 10.
Earlier in 2016, attackers abused the zero-day bug to achieve remote code execution (RCE) on South Korean users’ machines via phishing emails and/or watering hole attacks.
Their curiosity piqued by those exploits, a group of security researchers known as “the Plaid Parliament of Coding” analyzed the vulnerability patch and published proof-of-concept (POC) exploit code for CVE-2016-0189 on June 22nd under their new firm name Theori.io.
The Register notes that the disclosure represents an important hallmark of the information security community. Such transparency regarding vulnerability disclosure is celebrated among many security professionals for what it imparts to others.
The Plaid Parliament of Coding said as much in their analysis:
“We hope you enjoyed reading about constructing a ‘1-day’ exploit from security patches. It is definitely a fun exercise to do, and sometimes gives you an insight about bugs & bug types that you haven’t looked at or considered.”
Unfortunately, not everyone shared those same feeling.
Researchers at FireEye observed the Neutrino exploit kit had adopted the researchers’ POC code into its arsenal shortly after the code went up on GitHub:
“In this example, Neutrino embedded exploits for five patched vulnerabilities: three for Adobe Flash Player (CVE-2016-4117, CVE-2016-1019, CVE-2015-8651) and two for Internet Explorer (CVE-2016-0189, CVE-2014-6332). CVE-2016-0189 is the newest addition to Neutrino’s arsenal.”
Neutrino embedded all five of those exploits into a Shockwave Flash (SWF) file. Upon successful infection, the exploit kit uses that file to profile a user’s machine for vulnerabilities and determine which flaws it should use to attack the system.
The speed with which Neutrino adopted CVE-2016-0189 is a reminder for all users to implement software updates as soon as they become available.
It’s also a sad reminder that full disclosure among security researchers can have unintended and unexpected consequences for ordinary users.