Microsoft confirms 'targeted attacks' against old, unpatched IE vulnerability

Microsoft confirms 'targeted attacks' against old, unpatched IE vulnerability

Summary: Microsoft's inability to fix a troublesome browser vulnerability that dates back to 2004 has come back to haunt users of its flagship Internet Explorer browser.

SHARE:
15

Microsoft's inability to fix a troublesome browser vulnerability that dates back to 2004 has come back to haunt users of its flagship Internet Explorer browser.

The vulnerability, which affects all supported editions of Microsoft Windows, is currently being used to launch "politically motivated attacks" against human rights activists, most likely in China.   Microsoft described these as "limited, targeted attacks" and Google says it is seeing attacks against users of a popular (unnamed) social site.

Here is a warning from Google's security team:follow Ryan Naraine on twitter

We’ve noticed some highly targeted and apparently politically motivated attacks against our users. We believe activists may have been a specific target. We’ve also seen attacks against users of another popular social site. All these attacks abuse a publicly-disclosed MHTML vulnerability for which an exploit was publicly posted in January 2011. Users browsing with the Internet Explorer browser are affected.

For now, we recommend concerned users and corporations seriously consider deploying Microsoft’s temporary Fixit to block this attack until an official patch is available.

To help protect users of our services, we have deployed various server-side defenses to make the MHTML vulnerability harder to exploit. That said, these are not tenable long-term solutions, and we can’t guarantee them to be 100% reliable or comprehensive. We’re working with Microsoft to develop a comprehensive solution for this issue.

The abuse of this vulnerability is also interesting because it represents a new quality in the exploitation of web-level vulnerabilities. To date, similar attacks focused on directly compromising users' systems, as opposed to leveraging vulnerabilities to interact with web services.

Separately, Google security researcher Michal Zalewski produced a timeline that shows that Microsoft has been aware of this IE security problem since at least 2007.

Based on this 2007 advisory, it appears that a variant of this issue first appeared in 2004, and has been independently re-discovered several times in that timeframe. In 2006, the vendor reportedly acknowledged the behavior as "by design"; but in 2007, partial mitigations against the attack were rolled out as a part of MS07-034 (CVE-2007-2225). Unfortunately, these mitigations did not extend to a slightly modified attack published in the January 2011 post to the full-disclosure@ mailing list.

In the absence of a patch, it's important that IE users apply this Fix-It workaround from Microsoft.

Microsoft is also recommending that IE users:

  • Enable the MHTML protocol lockdown.
  • Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones.
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.

Instructions for applying these workarounds can be found in Microsoft's advisory.

Topics: Browser, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

15 comments
Log in or register to join the discussion
  • RE: Microsoft confirms 'targeted attacks' against old, unpatched IE vulnerability

    Hahahahahahahaahahaaaaaaaaa.....arghhhhhhhh
    Of course it is by design- never admit it is a bug, say it is a feature.
    kirovs@...
    • Wouldn't they be copying Apple in that respect?

      @kirovs@...
      But then again, it what they do, right....
      John Zern
      • LOL

        @John Zern LMAO
        MrElectrifyer
      • I don't know what you're laughing at

        I doubt Apple would have left a security hole like this exposed for the last 7 years. <br><br>Wouldn't surprise me if this affect IE9 as well. Pathetic.
        LTV10
  • RE: Microsoft confirms 'targeted attacks' against old, unpatched IE vulnerability

    Of course the best workaround would be to use another vendors browser.
    AndyPagin
  • RE: Microsoft confirms 'targeted attacks' against old, unpatched IE vulnerability

    One of our IT guys had to install Firefox remotely on one of our new work PC's as IE7 was not working with part of our Intranet which was made for IE6 and is the norm across the rest of the organisation I work for.<br><br>Microsoft f*&king with Web standards and the starry eyed "IT professionals" who let it happen still have a lot to answer for.
    alsobannedfromzdnet
    • You're probably running Firefox in IE mode

      @alsobannedfromzdnet

      That's pretty much the ONLY scenario where Firefox would display something that IE wasn't. You probably have a broken IE installation on that system, and your intranet is pushing ASP.NET pages (IIS anyone?). Firefox has a built-in IE compatibility mode, where it uses IE code to run within itself (and no, it's not sandboxed). It's the "Microsoft .NET framework assistant", which really just runs IE within Firefox. The correct "repair" would have been to remove IE7 and then reinstall it, or better yet - upgrade to IE8. There's probably something that was deleted or corrupted in the render engine - that could happen from a HD getting ready to fail or a couple of bad sectors in just the right place.
      rock06r
    • Also... comments about your &quot;standards&quot;

      @alsobannedfromzdnet

      Ummm. Web Standards?? You mean a collection of companies that all publish their own version of what should look like this and that? Or their own proprietary technologies (Apple quicktime, Realplayer, Macromedia/Adobe Flash, etc. etc etc)? You know, a lot of people these days keep throwing out that wonderful "standards" phrase like it's a yardstick. Let me tell you what a web standard, in this day and age, actually IS: That's when a bunch (like a few million) web pages get built with a technology or two. It's a very dynamic thing. "Standards" change all the time. Apparently, your own company at one point decided to use the ASP standard for their intranet pages. Hey - it works. I would even say it works well - with just a couple of hours of trial and error the average web-pilot can build working webpages with forms and databases on the backend. A little easier on the palate than those other "standards" like PHP/MySQL. Especially if you have a MS Server running your business - no need to hobble together an Apache Server and somehow bind it to your network - just go to your IIS server and enable the built-in web server (in like... four mouse clicks?). Yeah... that's a standard too. And when your business is whining and screaming about some web forms, and how they want to be in business to make widgets and not web pages - well, that's a standard too. They call that the "common sense" standard.
      rock06r
  • RE: Microsoft confirms 'targeted attacks' against old, unpatched IE vulnerability

    NOBODY expects the Spanish Inquisition!!!
    notme403@...
  • RE: Microsoft confirms 'targeted attacks' against old, unpatched IE vulnerability

    Well is this an actual issue, or just hype on a potential problem? How many systems are affected and to what scale is this exploit being actively being used? As much as I despise Microsoft as a company; if this is not a real issue, then this should not be brought up as if it?s being actively exploited.
    Rick_K
  • IE 9?

    is IE 9 affected?
    shellcodes_coder
  • Did they mean ANY versiion of IE or just IE 6?

    If this exploit is for any version of IE, then prepare to watch 90% of IE browser usage share move to either Google Chrome or FlamingFox ;)
    MrElectrifyer
  • Why the China FUD???

    Mr. Naraine, where's your proof China had anything to do with this? Last year's accusation re the Aurora malware attributed to the Chinese has since been discredited:

    - the "China code" in Aurora tured out to be "nibble CRC" from a 1988 Novel programming guide.

    - the supposed "China hacker central", Lanxiang Vocational School, turned out to be a diploma mill for cooks and hair dressers.
    ChasL
  • RE: Microsoft confirms 'targeted attacks' against old, unpatched IE vulnerability

    My company did a post on targeted attacks some time ago mostly on Stuxnet might be relevant: https://www.brightaxis.com/site/2011/01/stuxnet-targeted-attacks/
    -Pooja
    http://www.brightaxis.com
    brightaxis
  • RE: Microsoft confirms 'targeted attacks' against old, unpatched IE vulnerability

    Great!!! thanks for sharing this information to us!
    <a href="http://www.yuregininsesi.com" title="seslichat">sesli chat</a> <a href="http://www.yuregininsesi.com" title="seslisohbet">sesli sohbet</a>
    talih