An unknown zero-day leak in Internet Explorer has been exploited by cybercriminals for several months. The vulnerability allowed attackers to retrieve information about files on the computer, such as which software was installed.The attacks were performed through malicious advertisements.
Microsoft patched the leak yesterday. It's not the first time such a vulnerability was exploited through malicious advertisements, last month Microsoft patched a similar vulnerability. The vulnerabilities allowed an attacker to check whether the advertisement on an attacked PC was from a regular home user, or from a security research or security company. Attackers were able to determine this based on file associations on the attacked system and by finding out whether the attacked system wasn't a sandbox or virtual machine. Many security researchers use such software to find and analyze malware.
The trick with the file associations worked by checking if known file extensions, used by software to analyze malware, was associated with software on the system. Checking whether the system was a sandbox or virtual machine worked by checking whether file extensions were associated with software commonly found on regular user's PCs, such as Office, uTorrent and Skype.
In case it was determined that the attacked system belonged to a security researcher, the attack didn't continue and the system wasn't infected. This way the attackers stayed under the radar for a long time because the malicious advertisements were never noticed by the systems of security researchers.
The zero-day leak in Internet Explorer that Microsoft patched yesterday was first discovered in April this year and reported to Microsoft. It's possible however that attackers exploited the vulnerability for some time before that already. As far as currently is known, the Internet Explorer vulnerabilities have been abused by two different groups of cybercriminals.
