microsoft_building

Ken Wolter/Shutterstock

Security


A newly discovered flaw affecting several versions of Microsoft’s Internet Explorer has left a significant portion of the world’s web browsers vulnerable to attack.

Disclosed in an unusual Saturday alert from Microsoft, the flaw is being called a serious “Zero Day” vulnerability by security company FireEye, which claims it affects more than 56 percent of the world’s web browsers currently in use.

It’s a remote code execution vulnerability, which in English means a bad guy can make a target computer run software after a successful attack. “The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer,” Microsoft’s alert reads. The phrase “arbitrary code” means pretty much any software that the attacker chooses to run.

In a post to its Security Response Center blog, Microsoft explains that the company has so far seen only “limited attacks” exploiting the vulnerability. It says attacks typically occur when a target has been convinced to click on a link.

FireEye, in a post of its own has declared the exploit a zero-day vulnerability, so named because they’re undisclosed or leave potential victims with zero days of warning. The company claims a gang of attackers has already launched a campaign exploiting the flaw.

Microsoft’s full security advisory goes into more detail, explaining that the vulnerability affects every version of the browser from Internet Explorer 6 through 11. FireEye says that most attacks are targeting IE9 through 11, which together account for more than 26 percent of the web browsers currently in use around the world. But when you add in IE versions 6 through 8, you’re talking about more like 56 percent.

Microsoft says that Internet Explorer 10 and 11 with Enhanced Protected Mode — which is enabled by default on those browsers — protects against attacks exploiting the vulnerability. The company is still investigating the matter and will provide an update when it’s complete.

FireEye goes into further detail, saying the vulnerability originates in Flash, the animation and video software from Adobe, and can be exploited using a well-known technique (Many technical details here) to access a computer’s memory, where malignant code can be deployed.

In one scenario, an attacker can create a website that is specifically designed to take advantage of this vulnerability, and then convince people using Explorer to click through. So if you use Explorer, be on the lookout for suspicious-looking email messages with Web links in them.

So who’s behind the attacks FireEye says are exploiting this new vulnerability? The company doesn’t go into a lot of detail, but it does say it’s an APT Group, which stands for “Advanced Persistent Threat.” FireEye generally saves that designation for the most serious and technically sophisticated of attackers.

“The APT group responsible for this exploit has been the first group to have access to a select number of browser-based Zero-Day exploits in the past,” FireEye explains. “They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure.”

FireEye says this same group was tied to a backdoor vulnerability known as Pirpi that appeared in 2010.



5 comments
LawrenceW
LawrenceW

"originates in Flash". This was the continuing complaint Steve Jobs had with Adobe and this product -- buggy, poor performance, and security holes. No question, sites that still use Flash (too many of them) cannot be viewed on my iOS devices. Even on under the protections of Mac OSX sandboxed Flash still causes run-away CPU usage. 


Flash should be banned -- period. 

LVKen7
LVKen7

This is NOT NEW. 
MSoft has had Access to your Windows PC 
every time you get on the Internet. 
It is NOT IE is it the OS. 

LVKen7
LVKen7

 MSoft has access to Every Windows based PCs in the World, thru IE,

whenever the PC is Connected to the Internet. 
So, why is this a surprise? 
It is NOT the IE that makes the PC Venerable, it is the Windows OS. 
You can NOT Uninstall IE. So having Chrome of FFox does NOT help. 

rbitrage
rbitrage

Wouldn't it be nice to inform the layman how to AVOID the vulnerability since Microsoft won't automatically up date Xp?  In the simplest of terms, the vulnerability happens when you use flash on IE.  So, remove flash from IE or disable IE so that it does not get used.  Because flash is used on so many sites, disabling IE is probably an easier alternative.  Disabling IE is done via "Set Program Access and Defaults" inside "Add or Remove Programs" in the Control Panel.  Be sure to have another browser (like Firefox or Chrome) installed before the procedure if you want access to the web.

julienm
julienm

[quote]Microsoft says that Internet Explorer 10 and 11 with Enhanced Protected Mode — which is enabled by default on those browsers — protects against attacks exploiting the vulnerability[/quote]

there is a mistake here.

Enhanced Protected Mode is supported only on Windows 8.x (not 7), and it is enabled by default ONLY on the Metro version of IE.

Users of IE/desktop must open the Internet options panel, go to advanced tab, and under Security the checkbox "Enhanced Protected Mode" must be checked.

If you can't do this, Microsoft recommends to install Microsoft EMET, which is a free security tool designed to disrupt 0day exploits like this one. It's a great tool to have, even if you don't use IE, because EMET can provide protection against unknown memory corruption flaws for any application. While not a perfect protection, so far I never heard about any IE 0day exploit in the wild bypassing EMET.

Follow

Get every new post delivered to your Inbox.

Join 292,824 other followers