Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

New Microsoft IE zero-day flaw under attack

By Ryan Naraine | March 9, 2010, 11:19am PST

Summary

A zero-day (unpatched) vulnerability in Microsoft’s Internet Explorer vulnerability is being exploited in the wild

Topics

Web, Attacker, Vulnerability, Microsoft Internet Explorer, Microsoft Corp., Zero-day Bug, Attack, Web Browsers, Security, Internet, Ryan Naraine

Blogger Info

Ryan Naraine

Biography

Ryan Naraine

Ryan Naraine
Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Dancho Danchev

Biography

Dancho Danchev

Dancho Danchev
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter
Vendor HotSpot
Here to help you with your Document Management Needs

Read the DocuMentor blog now

Learn More »

A zero-day (unpatched) vulnerability in Microsoft’s Internet Explorer is being exploited in the wild, the company warned in an advisory issued today.

On the same day it issued software fixes as part of its Patch Tuesday schedule, Microsoft released a pre-patch advisory to warn of the risk of remote code execution attacks against users of IE 6 and IE 7.

From the advisory:

Our investigation so far has shown that Internet Explorer 8 and Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 are not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 are vulnerable.

The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

follow Ryan Naraine on twitter Microsoft said it was aware of targeted attacks attempting to use this vulnerability.  No other details on the attacks were offered.

The company made it clear that the newest version of the browser – Internet Explorer 8 — was not affected by this vulnerability.

Some additional mitigations:

  • Protected Mode in Internet Explorer on Windows Vista and later Windows operating systems helps to limit the impact of the vulnerability as an attacker who successfully exploited this vulnerability would have very limited rights on the system. An attacker who successfully exploited this vulnerability on Internet Explorer 6 or Internet Explorer 7 could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
  • In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
  • By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.
  • By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone, removing the risk of an attacker being able to use this vulnerability to execute malicious code. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario. Additionally, Outlook 2007 uses a different component to render HTML e-mail, removing the risk of this exploit.
In the absence of a patch, IE users should consider switching to an alternative browser — Mozilla Firefox, Google Chrome or Opera.
If you must use Internet Explorer, the following workarounds are available:
  • Modify the Access Control List (ACL) on iepeers.dll
  • Set Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
  • Enable DEP for Internet Explorer 6 Service Pack 2 or Internet Explorer 7
Instructions for applying the workarounds are available in Microsoft’s advisory.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

More from “Zero Day”

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion

Talkback Most Recent of 56 Talkback(s)

  • What about IE 8?
    In the absence of a patch, IE users should consider switching to an alternative browser ? Mozilla Firefox, Google Chrome or Opera.

    Constantly amazed how often the most obvious, and likely least painful, recommendation is ignored.
    ZDNet Gravatar
    ye
    03/09/2010 12:25 PM
  • Touch? !
    Funny, the same recommendation was made this week about Opera, Chrome and Firefox since they too do not have patches out yet for their own distinct vulnerabilities.

    LMAO!
    ZDNet Gravatar
    WinTard
    03/09/2010 12:32 PM
  • I think the difference being they're not under attack.
    They're merely vulnerabilities with no exploits.
    ZDNet Gravatar
    ye
    03/09/2010 12:34 PM
  • Who's side are you on again?
    You basically just said the non-MS products are safe to use and the MS one isn't???
    ZDNet Gravatar
    AzuMao
    03/09/2010 01:16 PM
  • I said IE 8 is safe because it's not vulnerable.
    Whereas IE 6 and 7 are vulnerable and apparently being exploited. Thus they're not safe. It's sad this has to be explained to you.
    ZDNet Gravatar
    ye
    03/09/2010 01:26 PM
  • My bad, I thought IE 6 and 7 were from Microsoft.
    And that most Windows users had one of those, rather than IE 8.

    And that all the non-IE browsers were not vulnerable.


    Thanks for clearing up my misconceptions again.
    ZDNet Gravatar
    AzuMao
    03/09/2010 03:29 PM
  • Not everyone
    that supports MS is a fanatic just as not everyone that supports Linux is not a fanatic (though you are not helping with this idea).

    Ye has long been, for the most part, a voice of reason.

    The only ones that feel you must choose a side are the zealots. That does not mean a reasonable person can't lean to one side or the other, just that they don't have to defend one side all the time or attack the other side all the time.
    ZDNet Gravatar
    Viva la crank dodo
    (Edited: 03/09/2010 01:34 PM)
  • My bad.
    I forgot that the only way to side with someone/something was to be a fanatic.

    Thank you for enlightening me from my ignorance.
    ZDNet Gravatar
    AzuMao
    03/09/2010 03:31 PM
  • Not at all
    to insist that its necessary to choose a side in the first place and then ignore your sides faults and the other sides strengths or to always question the other sides supporters motives requires being a fanatic.
    ZDNet Gravatar
    Viva la crank dodo
    03/10/2010 07:48 AM
  • You mean the only possible motive to defend your view..
    ..and attack your opponents', is being a fanatic?

    There could be no other motive?

    Are you sure?
    ZDNet Gravatar
    AzuMao
    03/10/2010 01:04 PM
  • Is that what I said
    I don't see that anywhere in my comment.
    ZDNet Gravatar
    Viva la crank dodo
    03/11/2010 05:26 AM
  • Here
    to insist that its necessary to choose a side in the first place and then ignore your sides faults and the other sides strengths or to always question the other sides supporters motives requires being a fanatic.

    Ergo "the motive for defending your point of view and attacking your opponents' can only be fanaticism".
    ZDNet Gravatar
    AzuMao
    03/11/2010 10:34 AM
  • Wow, you choose to see what you want
    I never said that but I guess you are entitled to read it any way you want. Kind of like LD spins Torvalds posing with a MS sign as an admission of MS superiority.
    ZDNet Gravatar
    Viva la crank dodo
    03/11/2010 11:40 AM
  • Not at all
    Stop questioning my motives.
    ZDNet Gravatar
    AzuMao
    03/11/2010 01:10 PM
  • Good one wink
    You tend to see what is not there. I never questioned your motives, just questioned your interpretation of my previous comment.
    ZDNet Gravatar
    Viva la crank dodo
    03/11/2010 01:19 PM
View More Comments

Talkback - Tell Us What You Think

advertisement
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
advertisement
Click Here