What You Need to Know About New IE Zero-Day
Internet Explorer is under attack again. Microsoft has issued a security advisory explaining a newly-discovered exploit impacting most versions of the Internet Explorer Web browser. The security advisory contains details about the threat, as well as some guidance to protect vulnerable browsers pending a patch from Microsoft to fix the hole.
Andrew Storms, Director of Security Operations for nCircle, commented on the new threat, "It's always a serious concern when an IE zero-day surfaces, especially when it affects all versions of the browser. It's a little late for Halloween, but two zero days in one week is almost enough to make IT security teams run away screaming."
Storms added, "There is some good news however; Microsoft says the attacks are limited at the moment and data execution prevention (DEP), a security safeguard in newer versions of Windows, may be able to prevent attack execution."
A spokesperson from Symantec e-mailed me with these details. "A new zero-day vulnerability affecting Internet Explorer 6 and 7 is being used in targeted attacks. In these attacks people receive emails with a link pointing to a page which determines if a visitor is using Internet Explorer 6 and 7. If so, the script transfers the visitor unknowingly to the page hosting the exploit where malware is downloaded and runs on their computer without any user interaction. The vulnerability allows for any remote program to be executed without the end user's notice."
According to a post on the Microsoft Security Response Center blog, the issue also affects Internet Explorer 8, but not the beta of Internet Explorer 9. Microsoft also stresses, though, that while IE8 might be technically vulnerable, its superior security controls make it unlikely that it could be exploited. "Impacted versions include Internet Explorer 6, 7 and 8, although our ongoing investigation confirms that default installations of Internet Explorer 8 are unlikely to be exploited by this issue. This is due to the defense in depth protections offered from Data Execution Prevention (DEP), which is enabled by default in Internet Explorer 8 on all supported Windows platforms."
A Symantec blog post describes the threat, and the e-mails used to initiate the exploit. The discovery of this attack was related to targeted e-mails sent to a limited number of potential victims--indicating that perhaps the attackers were seeking to compromise specific targets rather than any random vulnerable system connected to the Internet.
The Symantec post explains, "Visitors who were served the exploit page didn't realize it, but went on to download and run a piece of malware on their computer without any interaction at all. The vulnerability allowed for any remote program to be executed without the end user's notice. Once infected, the malware set itself to start up with the computer, along with a service named 'NetWare Workstation'. The piece of malware opens a backdoor on the computer and then contacts remote servers. It tries to contact a specific server hosted in Poland for small files named with a .gif extension. These small files are actually encrypted files with commands telling the Trojan what to do next."
The Microsoft security advisory lists mitigating factors and workarounds to help users and IT admins guard against this threat. Microsoft recommends that users read e-mail messages in plain text, rather than HTML. Users of Internet Explorer 7 can turn on DEP--which is present, but not enabled by default--to offer additional protection.
Those unfortunate souls that still rely on Internet Explorer 6 are directed to set the Internet and Local Intranet security zones in the browser to High in order to block execution of Active X controls and scripts. In addition, a custom CSS style can be forced to override the Web CSS style sheets to prevent exploit, and organizations can also use the Enhanced Mitigation Experience Toolkit to take advantage of newer security controls on older, less secure software.
Arguably, the simplest solution, though, is to simply install the beta version of Internet Explorer 9. Then you can protect your PC against this attack, and experience the new features and benefits of IE9 at the same time.