A newly discovered flaw affecting several versions of Microsoft’s Internet Explorer has left a significant portion of the world’s web browsers vulnerable to attack.
Disclosed in an unusual Saturday alert from Microsoft, the flaw is being called a serious “Zero Day” vulnerability by security company FireEye, which claims it affects more than 56 percent of the world’s web browsers currently in use.
It’s a remote code execution vulnerability, which in English means a bad guy can make a target computer run software after a successful attack. “The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer,” Microsoft’s alert reads. The phrase “arbitrary code” means pretty much any software that the attacker chooses to run.
In a post to its Security Response Center blog, Microsoft explains that the company has so far seen only “limited attacks” exploiting the vulnerability. It says attacks typically occur when a target has been convinced to click on a link.
FireEye, in a post of its own has declared the exploit a zero-day vulnerability, so named because they’re undisclosed or leave potential victims with zero days of warning. The company claims a gang of attackers has already launched a campaign exploiting the flaw.
Microsoft’s full security advisory goes into more detail, explaining that the vulnerability affects every version of the browser from Internet Explorer 6 through 11. FireEye says that most attacks are targeting IE9 through 11, which together account for more than 26 percent of the web browsers currently in use around the world. But when you add in IE versions 6 through 8, you’re talking about more like 56 percent.
Microsoft says that Internet Explorer 10 and 11 with Enhanced Protected Mode — which is enabled by default on those browsers — protects against attacks exploiting the vulnerability. The company is still investigating the matter and will provide an update when it’s complete.
FireEye goes into further detail, saying the vulnerability originates in Flash, the animation and video software from Adobe, and can be exploited using a well-known technique (Many technical details here) to access a computer’s memory, where malignant code can be deployed.
In one scenario, an attacker can create a website that is specifically designed to take advantage of this vulnerability, and then convince people using Explorer to click through. So if you use Explorer, be on the lookout for suspicious-looking email messages with Web links in them.
So who’s behind the attacks FireEye says are exploiting this new vulnerability? The company doesn’t go into a lot of detail, but it does say it’s an APT Group, which stands for “Advanced Persistent Threat.” FireEye generally saves that designation for the most serious and technically sophisticated of attackers.
“The APT group responsible for this exploit has been the first group to have access to a select number of browser-based Zero-Day exploits in the past,” FireEye explains. “They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure.”
FireEye says this same group was tied to a backdoor vulnerability known as Pirpi that appeared in 2010.