Microsoft promises official patch for latest IE zero day

Microsoft promises official patch for latest IE zero day

Summary: Microsoft has now released a tool to protect those affected by the Internet Explorer zero day while it puts together an official patch.

SHARE:

Microsoft has taken a look at the exploits taking advantage of the zero-day vulnerability discovered in versions 6, 7, 8, and 9 of Internet Explorer, and has released a "Fix It" tool and promised that an out-of-band update will arrive on Friday.

The vulnerability, which was discovered by security researcher Eric Romang as he was examining an unrelated Java zero day, has already attracted attention from Microsoft. Without a tailored patch available, the Redmond, Washington, company pointed its users toward its existing Enhanced Mitigation Experience Toolkit (EMET), which it says will prevent hackers from gaining illegitimate access.

German officials from the country's Federal Office for Information Security are taking no chances, and have said that users should simply stop using Internet Explorer for the time being.

Microsoft stands by its recommendation of EMET, saying in a TechNet post that it offers a "good set of additional migrations for Internet Explorer than thwart many of the attacks in the wild." Its confidence comes from its analysis of samples in the wild that are attempting to exploit the zero day.

So far, it has only seen attacks on 32-bit versions of Internet Explorer and those that rely on third-party browser plug-ins.

"In the current situation, the chances of successful exploitation via the current attacks on Windows Vista and 7 strongly depend on the presence of these plug-ins on the targeted computers."

Despite its confidence, the company also asked the public to let it know if there are any cases where EMET is not helping to mitigate attacks.

The company also released the Fix It tool that it previously promised, but with the caveat that the protection it provides only works if the latest security updates have been applied. It is similar to the update that it is promising will arrive on Friday.

Topics: Security, Browser, Microsoft, Windows

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • Wow, Doubt?

    “Despite its confidence, the company also asked the public to let it know if there are any cases where EMET is not helping to mitigate attacks.”
    RickLively
    • Nobody said EMET was perfect

      Hi RickLively,

      You are correct.

      Microsoft acknowledged that EMET does not provide a 100% guarantee of protecting you from this flaw in the FAQ of their security advisory:

      http://technet.microsoft.com/en-us/security/advisory/2757760

      In addition if an exploit is coded correctly, it could bypass the mitigations of EMET.

      I remember reading about the following examples, a number of months ago. I have also encountered a more recent example bypassing EMET v3.5 Tech Preview Return Oriented Programming mitigations.

      I have never seen it mentioned anywhere that EMET is a complete unbreakable solution; it simply makes it harder for an exploit to work reliably.

      I am providing the links below for your reference only:

      Bypassing EMET:

      http://skypher.com/index.php/2010/11/17/bypassing-eaf/

      http://badishi.com/tweaking-metasploit-modules-to-bypass-emet-part-1/

      http://social.technet.microsoft.com/Forums/en/emet/thread/b0deb3b8-eb70-4e30-a1e5-6828f5304913

      Thanks.
      JimboC421
      • Effectiveness of EMET

        Further info about the effectiveness of EMET for this attack is given in the following blog post:

        http://blogs.technet.com/b/srd/archive/2012/09/19/more-information-on-security-advisory-2757760-s-fix-it.aspx

        In this post, Microsoft is asking for assistance from anyone who encounters an attack that bypasses EMET since they wish to improve EMET against such occurrences. Surely that is a good thing?
        JimboC421
    • Now wait a minute where is Toddy to come on here and tell us

      all how Apple is the most lacking in Security, blah, blah, blah....This has been around since IE version #6??

      Oh wait it's jave so it must be Apple's fault, right Toddy??
      T-Wrench
  • 32bit?

    I think most PC's out there are 64bit now, or a growing number of them. 32bit is like Windows XP...the worst kind of security threat you can find.
    DreyerSmit
    • Thankfully 32 bit is less and less common

      @DreyerSmit

      Most likely the reason why 64 bit is harder to exploit is that 64 bit programs make use of a much larger address space than 32 bit programs. Thus heap spraying techniques are far less effectively since the HEASLR (High Entropy Address Space Layout Randomization) of a 64 bit process makes this technique impractical.

      Microsoft mentions this in the following blog posts:

      http://blogs.msdn.com/b/ie/archive/2012/03/14/enhanced-protected-mode.aspx

      http://blogs.msdn.com/b/ie/archive/2012/03/12/enhanced-memory-protections-in-ie10.aspx

      You are right; most of the 32 bit versions are XP. There are still a lot of 32 bit versions of Vista and Windows 7 out there but thankfully they are becoming less and less common.

      Thanks.
      JimboC421
  • Which plugins?

    Hold on boys, let try and get to the crux of the problem(s) if possible please.

    The Microsoft advisory lays the blame on third-party plugins but doesn't identify them. Does anyone know to which plugins they refer or which plugins are suspected of enabling the exploits?
    Ray Noel
    • Flash is used to exploit the flaw but does not appear to be the root cause

      Hi Ray,

      That’s a good point you have raised.

      According to this article from Kaspersky, the exploit uses Flash movies so it appears to be Adobe Flash Player. From what I can tell, the exploit uses Flash but the flaw is actually in IE and how it de-allocates memory used by Flash since it is a use after free vulnerability.

      http://threatpost.com/en_us/blogs/microsoft-fixit-will-address-ie-zero-day-vulnerability-091912

      http://threatpost.com/en_us/blogs/microsoft-will-patch-ie-zero-day-friday-fixit-available-stopgap-092012

      Further technical details were provided by Symantec:

      http://www.symantec.com/connect/blogs/new-internet-explorer-zero-day-vulnerability-exploited-wild

      My above assumption seems to be confirmed by Microsoft in the following blog post since they are patching mshtml.dll of IE to fix this flaw temporarily and will provide a more permanent fix later today for the same DLL file:

      http://blogs.technet.com/b/srd/archive/2012/09/19/more-information-on-security-advisory-2757760-s-fix-it.aspx

      I could be wrong in my assumption above but this is my interpretation of the many recent news articles/posts on this. I hope this helps answer your question.

      Thanks.
      JimboC421
      • Further info

        Further to my comment above, how the Flash file is used to exploit this flaw is detailed in the following blog post:

        http://blogs.technet.com/b/mmpc/archive/2012/09/21/what-you-need-to-know-about-cve-2012-4969.aspx

        I hope this helps. Thanks.
        JimboC421