I can think of better ways to end the year than with a last-minute zero day Internet Explorer (IE) exploit found in the wild. Yet that is exactly what happened last week. The good news is Microsoft has a quick fix.
Late last week, FireEye reported that attackers had infected the Council of Foreign Relations’ (CFR) web site with malicious code that leveraged a previously undiscovered vulnerability in IE. If you visited this site while it was booby-trapped, the drive-by download code would exploit the zero day flaw to install malware onto your computer. The attack code also checks your browser version to confirm you’re vulnerable, and only targets victims with English, Russian, Chinese, Korean, and Japanese operating systems. The code seems to contain Chinese characters, leading some to believe this is a China-based attack.
Over the weekend, Microsoft released an early advisory confirming this vulnerability. They also updated the advisory on Monday to add a FixIt workaround. According to their post, the vulnerability only affects IE 6 through 8. So if you use the latest versions of IE (9 and 10), you’re immune to the exploit. Though Microsoft hasn’t released the full details yet, the vulnerability seems to involve a “use after free” problem, which attackers can leverage to corrupt memory and force a computer to execute code of their choosing. If you use IE 6-8, I highly recommend you apply Microsoft’s IE FixIt immediately.
That said, I expect the FixIt only provides a temporary solution, and you should expect a more complete patch during one of Microsoft’s upcoming Patch Days. — Corey Nachreiner, CISSP (@SecAdept)