Microsoft warns of new IE zero-day attacks

Microsoft warns of new IE zero-day attacks

Summary: Microsoft has raised an alarm for a new round of targeted malware attacks against a zero-day vulnerability in its dominant Internet Explorer browser.

SHARE:
TOPICS: Microsoft
23

Microsoft has raised an alarm for a new round of targeted malware attacks against a zero-day vulnerability in its dominant Internet Explorer browser.

The vulnerability affects all supported versions of Internet Explorer and can be exploited to launch remote code execution (drive by download) attacks, Microsoft said in an advisory.

From Microsoft's advisory:

The vulnerability exists due to an invalid flag reference within Internet Explorer. It is possible under certain conditions for the invalid flag reference to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

According to Symantec's Vikram Thakur, the IE flaw is being used in a blended attack that combines social engineering (well-tailored e-mail lures) and drive-by downloads to load a backdoor Trojan on infected computers.follow Ryan Naraine on twitter

Thakur said the hackers sent e-mails to a select group of individuals within targeted organizations. "Within the e-mail the perpetrators added a link to a specific page hosted on an otherwise legitimate website. The hackers had gotten access to the website account and uploaded content without the owners knowing," he explained.

He said the the link pointed to a page which contained a script looking to see what OS/browser combination the target was using.  "Since the specific exploit page only worked when someone was using Internet Explorer 6 and 7, the script only transferred the visitor to the page hosting the exploit when this condition was met. In other cases the users didn't see anything but a blank website," Thakur said.

Although the exploit is geared towards IE 6 and IE 7 users, Microsoft makes it clear the vulnerability also affects IE 8 on all supported versions of Windows.

Visitors who were served the exploit page didn't realize it, but went on to download and run a piece of malware on their computer without any interaction at all. The vulnerability allowed for any remote program to be executed without the end user's notice. Once infected, the malware set itself to start up with the computer, along with a service named 'NetWare Workstation'. The piece of malware opens a backdoor on the computer and then contacts remote servers. It tries to contact a specific server hosted in Poland for small files named with a .gif extension. These small files are actually encrypted files with commands telling the Trojan what to do next.

Microsoft says Internet Explorer 9 Beta users are not affected by this issue.

Impacted versions include Internet Explorer 6, 7 and 8, although our ongoing investigation confirms that default installations of IE8 are unlikely to be exploited by this issue.  This is due to the defense in depth protections offered by Data Execution Prevention (DEP), which is enabled by default in Internet Explorer 8 on all supported Windows platforms.

MITIGATIONS:

In the absence of a patch, Microsoft recommends that IE users:

  • Override the Web site CSS style with a user defined CSS
  • Deploy the Enhanced Mitigation Experience Toolkit
  • Enable Data Execution Prevention (DEP) for Internet Explorer 7
  • Read e-mails in plain text
  • Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones

Instructions for deploying these mitigations are available in Microsoft Security Advisory (2458511).

Topic: Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

23 comments
Log in or register to join the discussion
  • Protected Mode mitigates this too...

    On Vista or 7, that malware that runs "without any interaction at all" will run in protected mode, meaning that it would be unable to install said "NetWare Workstation" service. Another reason to get off XP.
    PB_z
    • RE: Microsoft warns of new IE zero-day attacks

      @PB_z
      And if you follow the links, you will see that the malware authors actually put in extra code so that this won't even try to infect Vista or 7. The malware authors probably realized the futility of breaking out of Protected Mode on those OSs.
      NonZealot
      • I wouldn't say that

        @NonZealot

        But it seems as if the code was specifically looking at Windows XP and IE 6 and 7.
        The one and only, Cylon Centurion
      • RE: I wouldn't say that

        @Cylon Centurion 0005

        AFAIK WinXP is *still* the most popular OS for both home and business user alike. Even if MS release W7 for "FREE" it would take time to get it installed.

        I can say from experience, the majority of home users would rather have XP since it is what they know / are familiar with. Only when they purchase a new PC is when they will consider newer OS version. Sadly.
        ~doolittle~
    • RE: Microsoft warns of new IE zero-day attacks

      @PB_z Xp is an outdated POS. It's those peoples fault for even using a crappy OS.
      Jimster480
      • Re; It's those peoples fault for even using a crappy OS.

        @Jimster480
        It may also be the present economy's fault that they cannot afford the upgrade.
        I DO agree the upgrade is absolutely needed, but if you cannot afford it, then what will you do ?
        There are a lot of people today that simply does not have the money for it.
        hkommedal
      • RE: Microsoft warns of new IE zero-day attacks

        @Jimster480 A particularly unhelpful comment. XP is still the most popular PC o/s in the world, and most users aren't about to blindly upgrade to something else, especially in a recession.
        AndyPagin
  • RE: Microsoft warns of new IE zero-day attacks

    Another possible threat that is just too darn hard to exploit. It can only be executed under certain conditions. It requires both social engineering and creating a specially crafted site. Since most users are afraid to click on links they don't know and only go to the same 5 or 6 sites I don't see them falling for this trick. It was a nice attempt by the hackers but its a huge failure.

    Ryan, thanks for letting people know how to avoid this from the Microsoft tips. Much appreciated!
    Loverock Davidson
    • RE: Microsoft warns of new IE zero-day attacks

      @Loverock Davidson <br><br> So why Is MS Worried about? And why the work around? The Social engineering is easy!--<br><br>Since most users are afraid to click on links they don't know and only go to the same 5 or 6 sites I don't see them falling for this trick. <br><br> You have MORE trust in humans than I do!!!<br><br>It was a nice attempt by the hackers but its a huge failure. <br><br> They are Exploiting it!! DUU How much was stolen?
      mintalaska
  • RE: Microsoft warns of new IE zero-day attacks

    <i>He said the the link pointed to a page which contained a script looking to see what OS/browser combination the target was using. <b>Since the specific exploit page only worked when someone was using Internet Explorer 6 and 7</b>, the script only transferred the visitor to the page hosting the exploit when this condition was met. In other cases the users didnt see anything but a blank website, Thakur said.</i><br><br>Not 100% correct due to an error of omission. The specific exploit page only worked when someone was using Internet Explorer 6 or 7 <b>on XP</b>.<br><a href="http://www.symantec.com/connect/blogs/new-ie-0-day-used-targeted-attacks" target="_blank" rel="nofollow"><a href="http://www.symantec.com/connect/blogs/new-ie-0-day-used-targeted-attacks" target="_blank" rel="nofollow">http://www.symantec.com/connect/blogs/new-ie-0-day-used-targeted-attacks</a></a><br><br><a href="http://www.symantec.com/connect/imagebrowser/view/image/1538121/_original" target="_blank" rel="nofollow"><a href="http://www.symantec.com/connect/imagebrowser/view/image/1538121/_original" target="_blank" rel="nofollow">http://www.symantec.com/connect/imagebrowser/view/image/1538121/_original</a></a><br><br>Why they limited this to only attacking XP is anyone's guess but the likely reason is that Protected Mode totally neuters this attack.
    NonZealot
    • Might be

      @NonZealot

      Because it is still used heavily by businesses, and also easier (Way easier) to attack. All you have to do is get by the firewall and whatever AV the system has running (Which is elementary to do), and you have free reign over the OS.
      With Vista and 7, it's a bit more tricky to do as you have UAC, et al.
      The one and only, Cylon Centurion
  • 64-bit browsers

    I would imagine that the 64-bit version of IE further mitigates this because it already has DEP enabled on the process? I use that more than I do a 32-bit browser -period.
    JT82
  • I just thought of something: Have Coverity look at MS' source code.

    No more zero days! Yay.
    Oh. Sorry. I forgot, MS source code isn't 'open source'.
    So much for that idea.
    Dietrich T. Schmitz, ~ Your Linux Advocate
    • RE: Microsoft warns of new IE zero-day attacks

      @Dietrich T. Schmitz, Your Linux Advocate
      Stockholm syndrome comes to mind. Tie a browser to the kernel this is what happens, more to come.
      Just more band aids after band aids never stops.


      Hooay!
      daikon
    • RE: Microsoft warns of new IE zero-day attacks

      @Dietrich T. Schmitz, Your Linux Advocate except that open source doesnt prevent bugs. Did you see the amount of critical flaws with the android kernel? I have a android phone and I use both Linux and windows. But I'm not delusional.
      Jimster480
    • Because no OSS has vulnerabilities...

      @Dietrich T. Schmitz, Your Linux Advocate

      ...such as Firefox recently?

      Like Jimster I use both Linux for home (Ubuntu 10.10), Android on my phone and Windows at work. But I'm also not delusional!
      DevJonny
  • Ouch! Really?

    Does Symantec not know of a thing called clear-type?
    The one and only, Cylon Centurion
  • RE: Microsoft warns of new IE zero-day attacks

    For the average computer user (like myself), how about ?run this? one-line instruction instead of a long webpage of mystifying comments, links and instructions? Maybe we could follow 2, even 3 instructions?
    yeoman
    • You are absolutely right, shame on ZDNet

      @yeoman
      [i]how about run this one-line instruction instead of a long webpage of mystifying comments[/i]

      Shame on ZDNet for not providing a link to MS's knowledge base article that contains the "Fix it for me" programs.

      http://support.microsoft.com/kb/2458511

      I don't provide the link to the executable itself because you should [b]never[/b] trust anyone, not even me, with links to executables! Follow the link, ensure you are at a microsoft.com website, and click on the "Fix it for me" link. This will take you down a little further in the page where you have 2 Fix it for me programs. The first will apply the user defined CSS workaround and the 2nd will enable DEP on IE7.

      And ZDNet, you might do your readers a favor by pointing them to these KB articles when they contain Fix it for me programs.
      NonZealot
  • RE: Microsoft warns of new IE zero-day attacks

    Hey guys I tried to download the IE9 Beta, and the Microsoft link seems to only work from Windows 7. Would it work to download in a 7 machine and then copy the download over to the old XP. Or would that be ill advised??
    pessimist