Microsoft security experts have had a busy new year after rapidly releasing a tool to help users address a zero-day vulnerability affecting Internet Explorer.
The tool is meant to address a vulnerability discovered in the wild roughly a week ago. According to Microsoft, the issue affects IE versions 6, 7 and 8. Internet Explorer 9 and 10 are not affected.
The vulnerability affects how IE accesses an object in memory that has been deleted or not properly allocated. As a result, memory can be corrupted in a way that would allow an attacker to remotely execute code with the rights of the logged-on user.
“We encourage customers to apply the Fix it…to help ensure maximum protection,” Dustin Childs, group manager of Microsoft Trustworthy Computing, said in a statement. “Additionally, customers should ensure their anti-malware solution is up-to-date and follow good network hygiene practices, such as enabling a firewall, for added protection against threats.”
“The site was believed to be compromised and used to serve up the zero-day exploit as part of watering-hole style attacks as far back as 21 December,” according to Symantec’s Security Response Team. “A flash file named today.swf was used to trigger the vulnerability in Internet Explorer.”
In a blog post, Microsoft Research Center engineers Cristian Craioveanu and Jonathan Ness stated that the company has analysed four exploits. While users await a patch, they can block attacks by taking a number of actions, including disabling JavaScript, which will prevent the vulnerability from being triggered initially. In addition, users can disable Flash to prevent the ActionScript-based heap spray from preparing memory in such a way that the freed object contains exploit code.
Another step users can take, according to the duo, is to disable the ms-help protocol handler and ensure that Java6 is not allowed to run; this will block the address space layout randomisation (ASLR) bypass associated with the return-oriented programming (ROP) chain.
Other workarounds include setting the local intranet security zone settings to “high” to block ActiveX Controls and deploying the Enhanced Mitigation Experience Toolkit (EMET).
Microsoft did not offer an exact date as to when a patch would be ready. However, the company said it is working on a solution.
“We want to reiterate the IE9 and IE10 are not affected and that we currently see only very targeted attacks,” blogged Craioveanu and Ness. “And we’re working around the clock on the full security update. You should next expect to see an update from us announcing the availability of a Fix It tool to block the vulnerable code paths.”
Microsoft did not offer an exact date as to when a patch would be ready, but stated that it is in the process of developing a true fix.
Jm Hipolito, technical communications specialist at Trend Micro, noted that watering-hole attacks such as the one targeting visitors to the Council on Foreign Relations site are evidence of how attackers use information about their targets to launch more effective attacks.
“If we look at how a watering-hole attack works, we’ll see that the methods used are very much familiar to us,” Hipolito blogged. “However, the strategic placing of the threat itself makes it threatening in a more different level than any other Web compromise or 0-day attack, in the same way that a spear-phishing email is more effective than the typical spam emails. Attackers are able to generate strong social-engineering methods by leveraging their knowledge of their target’s profile, thus eliminating the need for creating very sophisticated tools. And this is something that users must fully realize, because the attackers are no longer just using software vulnerabilities, they’re also using the users themselves.”
Are you a security pro? Try our quiz!
Originally published on eWeek.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…