Researchers Warn Over Internet Explorer 8 Zero-Day Flaw

Thomas Brewster,
microsoft

Attacks in the wild and a fresh Metasploit module make life difficult for Microsoft

A zero-day vulnerability affecting Internet Explorer 8 has caused something of a panic in the security community, as it’s been seen causing trouble in the wild.

Researchers discovered attackers had used the new unpatched flaw in last week’s watering hole attack against the US Department of Labor (DoL). Chinese sources are suspected of perpetrating the attack, and AlienVault Labs has claimed at least nine other websites were redirecting to the malicious server used by the hackers.

Metasploit, the penetration testing and hacking tool, has added a module for the zero-day too, making it easier for attackers to use it, and even more vital for IT to issue workarounds and for Microsoft to push out a patch.

bug-flaw-patchInternet Explorer flaw

“This particular exploit checks for OS version, and only runs on Windows XP. We are able to reproduce the code execution and confirm it’s a working zero-day exploit against IE8,” FireEye said in a blog post. The researchers were able to show how the flaw could be used to compromise IE8 on Windows 7.

Microsoft said it was looking into the vulnerability, noting it was “aware of attacks” attempting to exploit it.

“This is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated,” the tech titan said in an advisory from Friday.

“The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer.”

Microsoft said it would either release a full fix in an upcoming Patch Tuesday release, or through an out-of-band (unschduled) update.

The firm is evidently worried about the potential for spear phishing attacks. It noted how its Outlook and Windows Mail products open HTML email messages in the “Restricted sites zone”, which disables script and ActiveX controls, and should “ reduce the risk of an attacker being able to use this vulnerability to execute malicious code”.

Patch Tuesday is coming a week today. “It will be challenging to get a fix integrated into these new Internet Explorer versions in time,” added Wolfgang Kandek, CTO of security firm Qualys, in a blog post.

What do you know about Internet security? Find out with our quiz!