Microsoft Confirms Zero-Day IE Attacks

Microsoft on Saturday confirmed that attackers are actively exploiting an unpatched flaw in some versions of Internet Explorer to invade Windows systems, while engineers offered temporary workarounds as the company works toward issuing a fix.

The bug affects IE 6, IE 7 and IE 8, but not the more recent IE 9 and IE 10 browsers, according to Microsoft.

Active exploits

“Microsoft is aware of targeted attacks that attempt to exploit this vulnerability through Internet Explorer 8,” the company said in a statement.

The problem lies in the way that IE accesses an object in memory that has been deleted or has not been properly allocated, according to Microsoft’s advisory.

“The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer,” Microsoft stated. “An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”

Cristian Craioveanu and Jonathan Ness, engineers with Microsoft Security Response Centre (MSRC), confirmed in a separate security advisory that the bug is being used for “limited, targeted attacks affecting customers using Internet Explorer 6, 7, and 8”.

The four attacks analysed so far all use Javascript to trigger the IE vulnerability, then trigger a memory condition such as a heap spray to ensure the usefulness of the memory being accessed, according to Craioveanu and Ness. The attacks also find ways around Windows’ ASLR and DEP security features, they said.

‘Working around the clock’

“The best protection against exploits for this vulnerability is for the vulnerable code to not be present,” Craioveanu and Ness wrote. “Internet Explorer 9 or 10 do not include the vulnerable code. And the IE team is working around the clock to develop a security update to address this vulnerability for earlier versions of the product.”

The engineers suggested several techniques for mitigating the vulnerability, including disabling Javascript, disabling Flash, and installing the EMET security tool.

Microsoft is also offering a FixIt protection tool for testing which modifies IE so that if attacked the browser simply crashes rather than creating the conditions for code execution, according to Craioveanu and Ness. The company is planning to issue the finalised version of the tool followed by a full security update, they said.

On Friday FireEye confirmed previous reports that the exploit was being deployed on the Council on Foreign Relations (CFR) website to install malicious code on visitors to that website.

“We can also confirm that the CFR website was also hosting the malicious content as early as Friday, December 21 – right before a major US holiday,” FireEye wrote in an advisory. “We can also confirm that the malicious content hosted on the website does appear to use Adobe Flash to generate a heap spray attack against Internet Explorer version 8.0 (fully patched), which was the source of the zero-day vulnerability.”

In September Microsoft acknowledged that IE was being actively targeted for attacks using a zero-day flaw identified over the weekend by a security researcher from the Metasploit project.

Last year Microsoft was also obliged to issue a security advisory just before the New Year’s Eve holiday. On 28 December, 2011, Microsoft warned of a flaw in its ASP .Net programming language, following up a day later with an emergency patch.

Are you a security pro? Try our quiz!