Attackers Exploit Serious Zero Day Internet Explorer Vulnerability

Yesterday, Microsoft released a critical security advisory warning customers of a serious new zero day vulnerability in Internet Explorer (IE), which attackers are exploiting in the wild.

According to a blog post, a security researcher named Eric Romang first discovered the zero day IE exploit as he was poking around a web server hijacked by the Nitro gang. Romang found four malicious files (.html x2, .swf, .exe) on the server, which acted together to infect his fully patched Windows XP machine.

Shortly after Romang’s release, Microsoft posted their security advisory confirming the previously undiscovered flaw in IE. The advisory warns that the flaw affects IE 7, 8, and 9, but not 10. Though Microsoft is still researching the issue, the vulnerability seems to be a “use after free” class of memory corruption vulnerability. In short, if an attacker can entice you to a web page containing maliciously crafted content, he could exploit this flaw to execute code on your machine, with your privileges. As usual, if you have local administrator privileges, the attacker would gain full control of your machine.

Zero day IE vulnerabilities are relatively rare, and very dangerous. Attackers are already exploiting this one in the wild, so it poses a significant risk. Furthermore, researchers have already added an exploit for this issue to the popular Metasploit framework, making it even easier for novices to leverage.

Unfortunately, Microsoft just learned of this flaw, so they haven’t had time to patch it yet. I suspect Microsoft may release an out-of-cycle patch for this flaw, but in the meantime here a few workarounds to help mitigate the issue:

  • Use IE 10 – IE 10 is not vulnerable to this issue. However, IE 10 is still only a preview build, and the latest versions only runs on Windows 8 and Server 2012. So this workaround may not help everyone.
  • Temporarily use a different web browser – I’m typically not one to recommend one web browser over another, as far as security is concerned. They all have had vulnerabilities. However, this is a fairly serious issue.  So you may want to consider temporarily using a different browser until Microsoft patches.
  • Install Microsoft EMETEMET is an optional Microsoft tool that adds additional memory protections to Windows. I described EMET in a previous episode of WatchGuard Security Week in Review. EMET is a fairly complex tool, so I only recommend it to more advanced administrators. Nonetheless, installing it could help protect your computer from many types of memory corruption flaws, including this one.
  • Configure Enhanced Security Configuration mode on Windows Servers – Windows Servers in Enhanced Security Configuration mode are not vulnerable to this attack.
  • Make sure your AV and IPS is up to date – While not all IPS and AV systems have signatures for all these attacks yet, they will in the coming days. In fact, if you use an XTM appliances with the IPS service, we can already detect and block the Metasploit variant of this attack. Whatever you use, be sure to keep your AV and IPS systems updating regularly, to get the latest protections.

I’ll continue to follow this issue as it evolves, and will post here as soon as Microsoft releases a patch.

As an aside, I apologize for the slight delay to this post. Unfortunately, I was on an international flight when this news first broke. — Corey Nachreiner, CISSP (@SecAdept)

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

5 Responses to “Attackers Exploit Serious Zero Day Internet Explorer Vulnerability”

  1. thats the one

    Connected by DROID on Verizon Wireless


  1. What to do about Zero Day Internet Explorer Attack « CustomTec - September 18, 2012

    […]… Share this:TwitterFacebookLike this:LikeBe the first to like this. […]

  2. WatchGuard Security Week in Review: Episode 34 – IE 0day | WatchGuard Security Center - September 21, 2012

    […] WatchGuard IE zero day alert – WGSC […]

  3. WatchGuard Security Center - September 21, 2012

    […] you’ve read my two posts [ 1 / 2 ], and watched this week’s video, you already know all about the zero day vulnerability […]

  4. WatchGuard Security Week in Review: Episode 34 – IE 0day « microreksa - September 23, 2012

    […] WatchGuard IE zero day alert – WGSC […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 7,870 other followers

%d bloggers like this: