Microsoft warns of new IE zero-day attacks

Summary:Microsoft has raised an alarm for a new round of targeted malware attacks against a zero-day vulnerability in its dominant Internet Explorer browser.

Microsoft has raised an alarm for a new round of targeted malware attacks against a zero-day vulnerability in its dominant Internet Explorer browser.

The vulnerability affects all supported versions of Internet Explorer and can be exploited to launch remote code execution (drive by download) attacks, Microsoft said in an advisory.

From Microsoft's advisory:

The vulnerability exists due to an invalid flag reference within Internet Explorer. It is possible under certain conditions for the invalid flag reference to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

According to Symantec's Vikram Thakur, the IE flaw is being used in a blended attack that combines social engineering (well-tailored e-mail lures) and drive-by downloads to load a backdoor Trojan on infected computers.

follow Ryan Naraine on twitter

Thakur said the hackers sent e-mails to a select group of individuals within targeted organizations. "Within the e-mail the perpetrators added a link to a specific page hosted on an otherwise legitimate website. The hackers had gotten access to the website account and uploaded content without the owners knowing," he explained.

He said the the link pointed to a page which contained a script looking to see what OS/browser combination the target was using.  "Since the specific exploit page only worked when someone was using Internet Explorer 6 and 7, the script only transferred the visitor to the page hosting the exploit when this condition was met. In other cases the users didn't see anything but a blank website," Thakur said.

Although the exploit is geared towards IE 6 and IE 7 users, Microsoft makes it clear the vulnerability also affects IE 8 on all supported versions of Windows.

Visitors who were served the exploit page didn't realize it, but went on to download and run a piece of malware on their computer without any interaction at all. The vulnerability allowed for any remote program to be executed without the end user's notice. Once infected, the malware set itself to start up with the computer, along with a service named 'NetWare Workstation'. The piece of malware opens a backdoor on the computer and then contacts remote servers. It tries to contact a specific server hosted in Poland for small files named with a .gif extension. These small files are actually encrypted files with commands telling the Trojan what to do next.

Microsoft says Internet Explorer 9 Beta users are not affected by this issue.

Impacted versions include Internet Explorer 6, 7 and 8, although our ongoing investigation confirms that default installations of IE8 are unlikely to be exploited by this issue.  This is due to the defense in depth protections offered by Data Execution Prevention (DEP), which is enabled by default in Internet Explorer 8 on all supported Windows platforms.

MITIGATIONS:

In the absence of a patch, Microsoft recommends that IE users:

  • Override the Web site CSS style with a user defined CSS
  • Deploy the Enhanced Mitigation Experience Toolkit
  • Enable Data Execution Prevention (DEP) for Internet Explorer 7
  • Read e-mails in plain text
  • Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones

Instructions for deploying these mitigations are available in Microsoft Security Advisory (2458511).

Topics: Microsoft

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.