Microsoft Admits Attacks Hit IE Browser Zero-Day Flaw

Microsoft has said it is investigating a previously unknown Internet Explorer security flaw that attackers are using to infect Windows systems, but has not set a timetable for delivering a fix

Microsoft has acknowledged that its Internet Explorer (IE) browser is being actively targeted for attacks using a previously unknown and unpatched vulnerability, but has not set a timetable for providing a fix.

The IE browser bug was identified over the weekend by a security researcher from the Metasploit project, whose parent company Rapid7 published an advisory on Monday.

Users must wait for a patch

Microsoft followed with its own advisory, suggesting that users install a package called Enhanced Mitigation Experience Toolkit (EMET) 3.0 to protect themselves while Microsoft carries out its investigation.

“On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process [Patch Tuesday] or an out-of-cycle security update, depending on customer needs,” Microsoft stated.

Unless Microsoft decides to release an out-of-cycle patch, a fix may not arrive until 9 October with the company’s next round of scheduled security updates.

The vulnerability affects IE 6, IE 7, IE 8 and IE 9, but not the new IE 10 browser, according to Microsoft. It can be exploited on Windows XP, Vista and Windows 7. “Microsoft is aware of targeted attacks that attempt to exploit this vulnerability,” the company stated in its advisory.

Security researchers said users can be infected by viewing a specially crafted website, in what is known as a drive-by attack.

The flaw is in the way the IE browser accesses an object that has been deleted or has not been properly allocated, Microsoft said. This may corrupt memory in a way that could allow an attacker to execute malicious code using the same privileges as the current user within Internet Explorer.

Workarounds advised

Microsoft advised users to deploy EMET, but this may be beyond the abilities of many users as it must be manually configured. Microsoft also suggested users could set Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones, but this may cause prevent some websites from operating correctly.

Rapid7 advised users to temporarily switch to another browser if possible.

“Since Microsoft has not released a patch for this vulnerability yet, Internet users are strongly advised to switch to other browsers, such as Chrome or Firefox, until a security update becomes available,” the company said in its advisory.

Based on browser market share figures from StatCounter, Rapid7 estimated that the flaw puts about 41 percent of Internet users in North American and 32 percent world-wide at risk.

Metasploit has released an exploit that organisations can use to see whether their systems are vulnerable to the IE flaw.

The flaw was first noticed by Luxembourg-based Metasploit researcher Eric Romang over the weekend, who found it had been used to infect his system. Romang said the exploit may have been developed by the “Nitro” hacking gang, which carried out cyber-espionage attacks on human rights organisations, the automobile industry and the chemicals industry in 2011.

The same group was also responsible for a round of attacks exploiting a zero-day Java vulnerability in August, according to Symantec.

Are You Plugged Into USB? Take our quiz.