On the 1st of May (a date which many countries celebrate as Labor Day), the US Department of Labor’s website was hacked. This was described as a watering hole type of attack, aimed at certain people only. The first news reports identified it as an already known and patched Internet Explorer vulnerability until today, when details emerged that this was not the case.
A few days ago I remember visiting the live site and my browser just crashed, something I did not think about too much since I was using one of our honeypots with out-of-date software.
Fool me once, shame on me. This time I was out to find out, except that now the site had been taken offline and redirects to this information page:
Thankfully, I was able to load the original files from a capture and reproduce the website by copying its files into my own local web server:
With that working I modified my hosts file to ‘trick’ the browser and redirect everything to the local host:
You can watch the exploit in this video. The browser opens up the page before crashing on the ‘cached’ US Department of Labor’s site. This currently affects Windows XP with Internet Explorer 8.
Microsoft has been informed and is looking into this vulnerability. Internet Explorer 8 is the most current version Windows XP users can update to, which makes this zero day a critical issue if it gets out in the wild.
If you have a second browser installed on your computer (Firefox, Chrome), I would strongly recommend using it until this gets patched. Again, this was a targeted attack that only affected few people but since the exploit code has already (inadvertently) been posted and is easy to find on various online resources, it is just a matter of time before it gets added to the mainstream Exploit Kits and does damage on a large scale.