Microsoft Issues New Security Advisory on IE Flaw
Microsoft issued a security advisory today for all supported versions of Internet Explorer.
The vulnerability is thought to be present on all IE versions, going all of the way back to IE 6 on Windows XP. Microsoft indicated in its Security Advisory 2887505 that it is investigating the flaw but is "aware of targeted attacks" specifically on IE 8 and IE 9. The company may issue a patch in the near future, but for now it is pointing IT pros to a "Fix it" workaround described in this Knowledge Base article. The workaround only applies to 32-bit versions of IE.
Attackers exploiting this remote code execution flaw have to first direct the user to a Web page with malicious code, either via an e-mail attachment or IM link. The exploit is based on how IE handles "an object in memory that has been deleted or has not been properly allocated," according to the security advisory. This flaw can lead to a corruption in memory that allows an attacker to execute code. If the attack is successful, the attacker can gain a user's rights on a machine. Microsoft advises that the threat can be lessened when fewer accounts are run with full administrative rights.
There are some built-in protections for those running IE on Windows Server, the advisory explained. Windows Server 2003 and newer versions of the server use an "enhanced security configuration" that "can reduce the likelihood of a user or administrator downloading and running specially crafted web content on a server."
Microsoft is also recommending the use of its Enhanced Mitigation Experience Toolkit (EMET), which protects against general exploit techniques. EMET is listed in the advisory as a secondary workaround to deal with this vulnerability. EMET 4.0 is recommended for protecting IE.
IT pros can also set local intranet and Internet security zones in IE to the "high" setting, which will block scripting and ActiveX controls. However, IE may not work well with some Web sites at that setting. Another approach is to configure IE to prompt the user before running scripts, but users could get prompted a lot at some sites. In specific cases, greater control can be had by adding trusted sites to the "trusted sites zone" in IE to avoid such issues.
The security advisory that was issued today comes on top of Microsoft's September security update, which was released last week. That release included "critical" and "moderate" fixes for 10 flaws in IE that could lead to remote code execution exploits.
Kurt Mackie is online news editor for the 1105 Enterprise Computing Group.