News

Microsoft Zero-Day IE Flaw Being Actively Exploited

Microsoft released a security advisory on Monday to address a zero-day vulnerability found in  Internet Explorer 9 and earlier versions.

The flaw, which was publically disclosed by security firm Rapid7 Monday morning, can be exploited users running Internet Explorer on Windows XP, Vista and Windows 7.

"Computers can get compromised simply by visiting a malicious website, which gives the attacker the same privileges as the current user," wrote Rapid7 exploit developer "sinn3r".

The researcher responsible for the discovery, Eric Romang, tested the Internet Explorer flaw on a system running an up-to-date Windows XP SP3. However, he confirmed that Windows 8 (preview versions and RTM versions) is the only Microsoft OS that is not vulnerable to the hack. Also, the test version of Internet Explorer 10 is not vulnerable to attack.

Microsoft confirmed in its security advisory that it "is aware of targeted attacks that attempt to exploit this vulnerability" and is actively investigating the disclosure. However, Microsoft did not provide exploitation number or rate stats.

According to security researchers, the active attacks have used the Poison Ivy backdoor Trojan kit -- the same toolkit that was used in the recent Java zero-day attacks.

While the company did not give a timetable of if and when a security update would arrive, Microsoft's Yunsun Wee of the Trustworthy Computing Group outlined a temporary workaround, which includes deploying the Enhanced Mitigation Experience Toolkit (EMET); setting Internet security zones to "high" and disabling Active Scripting before using Internet Explorer.  

Andrew Storms, nCircle's director of security operations, commented in a blog post that Microsoft's workaround may not be enough to protect a system from attack. "EMET is a great tool, but at this point, it's not clear that EMET blocks every attack vector," wrote Storms. "If you haven't already deployed this toolkit, it's a great time to think about it, but not a great time to do so in a hurry."

Storms also said he believes that Microsoft will not wait until next month's security update to release a fix.

Rapid7 also provided its own workaround that does not involve the EMET: "Since Microsoft has not released a patch for this vulnerability yet, Internet users are strongly advised to switch to other browsers, such as Chrome or Firefox, until a security update becomes available," wrote "sinn3r".

 

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • Azure Backup for SQL Server Now Commercially Available

    Microsoft on Monday announced that Azure Backup for SQL Server had reached "general availability" status, meaning it's deemed ready for production-environment use.

  • Insights for MyAnalytics Getting Switched On for Office 365 Users This Month

    Microsoft is planning to activate "Insights for MyAnalytics" sometime late this month for most Office 365 users, but the ability of organizations to manage this feature won't be available until possibly mid-May.

  • SharePoint Framework 1.8 Now Generally Available

    Microsoft this week announced that SharePoint Framework 1.8 had reached "general availability" status, although some features are still at the preview stage.

  • How To Create Office 365 User Accounts in Bulk

    Manual account creation can be tedious, time-consuming and prone to human error, especially if you have more than a handful of Office 365 users to set up. Brien shows you a better way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.