New Microsoft IE zero-day flaw under attack

New Microsoft IE zero-day flaw under attack

Summary: A zero-day (unpatched) vulnerability in Microsoft's Internet Explorer vulnerability is being exploited in the wild

SHARE:
59

A zero-day (unpatched) vulnerability in Microsoft's Internet Explorer is being exploited in the wild, the company warned in an advisory issued today.

On the same day it issued software fixes as part of its Patch Tuesday schedule, Microsoft released a pre-patch advisory to warn of the risk of remote code execution attacks against users of IE 6 and IE 7.

From the advisory:

Our investigation so far has shown that Internet Explorer 8 and Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 are not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 are vulnerable.

The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

follow Ryan Naraine on twitter Microsoft said it was aware of targeted attacks attempting to use this vulnerability.  No other details on the attacks were offered.

The company made it clear that the newest version of the browser -- Internet Explorer 8 -- was not affected by this vulnerability.

Some additional mitigations:

  • Protected Mode in Internet Explorer on Windows Vista and later Windows operating systems helps to limit the impact of the vulnerability as an attacker who successfully exploited this vulnerability would have very limited rights on the system. An attacker who successfully exploited this vulnerability on Internet Explorer 6 or Internet Explorer 7 could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
  • In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
  • By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.
  • By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone, removing the risk of an attacker being able to use this vulnerability to execute malicious code. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario. Additionally, Outlook 2007 uses a different component to render HTML e-mail, removing the risk of this exploit.

In the absence of a patch, IE users should consider switching to an alternative browser -- Mozilla Firefox, Google Chrome or Opera.
If you must use Internet Explorer, the following workarounds are available:

  • Modify the Access Control List (ACL) on iepeers.dll
  • Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
  • Enable DEP for Internet Explorer 6 Service Pack 2 or Internet Explorer 7

Instructions for applying the workarounds are available in Microsoft's advisory.

Topics: Browser, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

59 comments
Log in or register to join the discussion
  • What about IE 8?

    [i]In the absence of a patch, IE users should consider switching to an alternative browser ? Mozilla Firefox, Google Chrome or Opera.[/i]

    Constantly amazed how often the most obvious, and likely least painful, recommendation is ignored.
    ye
  • Touch? !

    Funny, the same recommendation was made this week about Opera, Chrome and Firefox since they too do not have patches out yet for their own distinct vulnerabilities.

    LMAO!
    WinTard
    • I think the difference being they're not under attack.

      They're merely vulnerabilities with no exploits.
      ye
      • Who's side are you on again?

        You basically just said the non-MS products are safe to use and the MS one isn't???
        AzuMao
        • I said IE 8 is safe because it's not vulnerable.

          Whereas IE 6 and 7 are vulnerable and apparently being exploited. Thus they're not safe. It's sad this has to be explained to you.
          ye
          • My bad, I thought IE 6 and 7 were from Microsoft.

            And that most Windows users had one of those, rather than IE 8.

            And that all the non-IE browsers were not vulnerable.


            Thanks for clearing up my misconceptions again.
            AzuMao
        • Not everyone

          that supports MS is a fanatic just as not everyone that supports Linux is not a fanatic (though you are not helping with this idea).

          Ye has long been, for the most part, a voice of reason.

          The only ones that feel you must choose a side are the zealots. That does not mean a reasonable person can't lean to one side or the other, just that they don't have to defend one side all the time or attack the other side all the time.
          Viva la crank dodo
          • My bad.

            I forgot that the only way to side with someone/something was to be a fanatic.

            Thank you for enlightening me from my ignorance.
            AzuMao
          • Not at all

            to insist that its necessary to choose a side in the first place and then ignore your sides faults and the other sides strengths or to always question the other sides supporters motives requires being a fanatic.
            Viva la crank dodo
          • You mean the only possible motive to defend your view..

            ..and attack your opponents', is being a fanatic?

            There could be no other motive?

            Are you sure?
            AzuMao
          • Is that what I said

            I don't see that anywhere in my comment.
            Viva la crank dodo
          • Here

            [i]to insist that its necessary to choose a side in the first place and then ignore your sides faults and the other sides strengths or to always question the other sides supporters motives requires being a fanatic.[/i]

            Ergo "the motive for defending your point of view and attacking your opponents' can only be fanaticism".
            AzuMao
          • Wow, you choose to see what you want

            I never said that but I guess you are entitled to read it any way you want. Kind of like LD spins Torvalds posing with a MS sign as an admission of MS superiority.
            Viva la crank dodo
          • Not at all

            Stop questioning my motives.
            AzuMao
          • Good one ;)

            You tend to see what is not there. I never questioned your motives, just questioned your interpretation of my previous comment.
            Viva la crank dodo
          • My bad.

            I thought that by "Wow, you choose to see what you want" you meant my motive was to misinterpret your post.

            Please tell me what you actually meant.
            AzuMao
          • I don't mean

            That you choose to misrepresent but simply that you are definitely jumping to conclusions to what I meant.

            It is definitely not a problem to defend your view nor to address others views you do not agree with. It is when opinions are expressed as absolutes, a held positions weaknesses are rationalized or dismissed, and an opposing position is always wrong, ignorant or trolling.

            It's possible to have a opposing personal preference which is reasonable without being an "opponent". It is even possible to have a similar preference to one side yet see the positives of the alternative and the negatives of a chosen side. A fanatic either believes this is not possible or at least acts as if to say anything positive of the opposing view is an opponent or a traitor.

            Viva la crank dodo
          • Are you absolutely sure about this;

            [i]It is definitely not a problem to defend your
            view nor to address others views you do not agree
            with. It is when opinions are expressed as
            absolutes[/i]

            or is it just true in certain situations?
            AzuMao
      • RE: New Microsoft IE zero-day flaw under attack

        All people may around a propos that is be off on absolutely akin to so as to after that act even beat
        <a href="http://www.phenobestin.com/s-4-adipex.aspx">Buy adipex</a> / <a href="http://www.phenobestin.com/s-7-phentermine.aspx">cheap phentermine</a>
        cheap phentermine 37.5
    • musical browsers?

      Lol, maybe they all expect us to play musical
      browsers! Seems a bit more like russian roulette though, given the context.
      TheLightcosine