Yesterday, Microsoft released a critical security advisory warning customers of a serious new zero day vulnerability in Internet Explorer (IE), which attackers are exploiting in the wild.
According to a blog post, a security researcher named Eric Romang first discovered the zero day IE exploit as he was poking around a web server hijacked by the Nitro gang. Romang found four malicious files (.html x2, .swf, .exe) on the server, which acted together to infect his fully patched Windows XP machine.
Shortly after Romang’s release, Microsoft posted their security advisory confirming the previously undiscovered flaw in IE. The advisory warns that the flaw affects IE 7, 8, and 9, but not 10. Though Microsoft is still researching the issue, the vulnerability seems to be a “use after free” class of memory corruption vulnerability. In short, if an attacker can entice you to a web page containing maliciously crafted content, he could exploit this flaw to execute code on your machine, with your privileges. As usual, if you have local administrator privileges, the attacker would gain full control of your machine.
Zero day IE vulnerabilities are relatively rare, and very dangerous. Attackers are already exploiting this one in the wild, so it poses a significant risk. Furthermore, researchers have already added an exploit for this issue to the popular Metasploit framework, making it even easier for novices to leverage.
Unfortunately, Microsoft just learned of this flaw, so they haven’t had time to patch it yet. I suspect Microsoft may release an out-of-cycle patch for this flaw, but in the meantime here a few workarounds to help mitigate the issue:
- Use IE 10 – IE 10 is not vulnerable to this issue. However, IE 10 is still only a preview build, and the latest versions only runs on Windows 8 and Server 2012. So this workaround may not help everyone.
- Temporarily use a different web browser – I’m typically not one to recommend one web browser over another, as far as security is concerned. They all have had vulnerabilities. However, this is a fairly serious issue. So you may want to consider temporarily using a different browser until Microsoft patches.
- Install Microsoft EMET – EMET is an optional Microsoft tool that adds additional memory protections to Windows. I described EMET in a previous episode of WatchGuard Security Week in Review. EMET is a fairly complex tool, so I only recommend it to more advanced administrators. Nonetheless, installing it could help protect your computer from many types of memory corruption flaws, including this one.
- Configure Enhanced Security Configuration mode on Windows Servers – Windows Servers in Enhanced Security Configuration mode are not vulnerable to this attack.
- Make sure your AV and IPS is up to date – While not all IPS and AV systems have signatures for all these attacks yet, they will in the coming days. In fact, if you use an XTM appliances with the IPS service, we can already detect and block the Metasploit variant of this attack. Whatever you use, be sure to keep your AV and IPS systems updating regularly, to get the latest protections.
I’ll continue to follow this issue as it evolves, and will post here as soon as Microsoft releases a patch.
As an aside, I apologize for the slight delay to this post. Unfortunately, I was on an international flight when this news first broke. — Corey Nachreiner, CISSP (@SecAdept)