News

Microsoft Zero-Day IE Flaw Being Actively Exploited

Microsoft released a security advisory on Monday to address a zero-day vulnerability found in  Internet Explorer 9 and earlier versions.

The flaw, which was publically disclosed by security firm Rapid7 Monday morning, can be exploited users running Internet Explorer on Windows XP, Vista and Windows 7.

"Computers can get compromised simply by visiting a malicious website, which gives the attacker the same privileges as the current user," wrote Rapid7 exploit developer "sinn3r".

The researcher responsible for the discovery, Eric Romang, tested the Internet Explorer flaw on a system running an up-to-date Windows XP SP3. However, he confirmed that Windows 8 (preview versions and RTM versions) is the only Microsoft OS that is not vulnerable to the hack. Also, the test version of Internet Explorer 10 is not vulnerable to attack.

Microsoft confirmed in its security advisory that it "is aware of targeted attacks that attempt to exploit this vulnerability" and is actively investigating the disclosure. However, Microsoft did not provide exploitation number or rate stats.

According to security researchers, the active attacks have used the Poison Ivy backdoor Trojan kit -- the same toolkit that was used in the recent Java zero-day attacks.

While the company did not give a timetable of if and when a security update would arrive, Microsoft's Yunsun Wee of the Trustworthy Computing Group outlined a temporary workaround, which includes deploying the Enhanced Mitigation Experience Toolkit (EMET); setting Internet security zones to "high" and disabling Active Scripting before using Internet Explorer.  

Andrew Storms, nCircle's director of security operations, commented in a blog post that Microsoft's workaround may not be enough to protect a system from attack. "EMET is a great tool, but at this point, it's not clear that EMET blocks every attack vector," wrote Storms. "If you haven't already deployed this toolkit, it's a great time to think about it, but not a great time to do so in a hurry."

Storms also said he believes that Microsoft will not wait until next month's security update to release a fix.

Rapid7 also provided its own workaround that does not involve the EMET: "Since Microsoft has not released a patch for this vulnerability yet, Internet users are strongly advised to switch to other browsers, such as Chrome or Firefox, until a security update becomes available," wrote "sinn3r".

 

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • Windows Admin Center vs. Hyper-V Manager: What's Better for Managing VMs?

    Microsoft's preferred interface for Windows Server is Windows Admin Center, but can it really replace Hyper-V Manager for managing virtual machines? Brien compares the two management tools.

  • Microsoft Offers More Help on Windows Server 2008 Upgrades

    Microsoft this week published additional help resources for organizations stuck on Windows Server 2008, which fell out of support on Jan. 14.

  • Microsoft Ups Its Carbon Reduction Goals

    Microsoft on Thursday announced a corporatewide carbon reduction effort that aims to make the company "carbon negative" by 2030.

  • How To Dynamically Lock Down an Unattended Windows 10 PC

    One of the biggest security risks in any organization happens when a user walks away from their PC without logging out. Microsoft has the solution (and it's not a password-protected screensaver).

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.