Internet Explorer software hole may have been used to steal data and infect PCs in South Korea

A recently patched 'software hole' vulnerability affecting Microsoft's Internet Explorer (IE) browser has been actively exploited to attack targets in South Korea, security firm Symantec has said.

The 'zero day' flaw in question, known as CVE-2016-0189, was a remote memory-corruption vulnerability that could allow attackers the ability to infect computers by directing unsuspecting users to a malware-ridden website. In a post on the Symantec website, it's stated that Internet Explorer 9, 10, and 11 were vulnerable. While the flaw has now been resolved in the latest Patch Tuesday release, any users that don't update their computer systems remain at risk of exploitation.

"Attackers took advantage of the CVE-2016-0189 vulnerability before Microsoft patched it," the Symantec Security Response team warned in a blog post. "They may have distributed the exploit through a link included in a spear phishing email or a compromised, legitimate website that redirected users to the exploit."

According to the researchers, the exploit's website contained a form of JavaScript that profiled a users' computer before determining exactly what version of IE, Flash, and Windows was running on the system.

"The JavaScript then delivered the exploit in an obfuscated VBScript file," the blog post continued. "If the exploit succeeded, it downloaded a malicious file from a .co.kr website." As this URL is a top-level domain used in South Korea, the team said that IE users in this region were likely the desired targets.

As Symantec noted, South Korean web users remain heavily reliant on IE. In 1999, a law was passed that forced websites operating online to adopt Microsoft ActiveX in order to use a form of encryption developed by the Korea Information Security Agency for all online transactions. As IE is the only browser to support ActiveX, adoption in South Korea rocketed. Now, despite making moves to distance itself from this outdated form of online encryption in recent years, much of the region still relies on IE when surfing the web.

Culprit remains unknown

The security team admitted the exact payload of the attack remains unknown – and, as per usual for vendors such as Symantec, did not speculate on who may have launched the attacks against South Korean targets. "The motivations of attacks affecting South Korean organisations often involve espionage or sabotage," Symantec noted. "Attackers have been observed targeting South Korean entities to gain remote access to their computers, steal sensitive data, or wipe hard drives."

One culprit often suspected of launching such cyberattacks is North Korea, which is thought to be expanding its offensive cyber-capabilities – especially in the wake of the attack against Sony Pictures in 2014, which many believe to have been orchestrated by the reclusive nation. Most recently, counter-espionage agents in South Korea launched a probe after an alleged hack against a firm that helps to build naval warships was hit by a cyberattack that may have compromised classified files and documentation.