Microsoft Issues Emergency Advisory on Internet Explorer Zero-Day Flaw

"The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer," warns the advisory.

This tells us a number of things. Firstly, that vulnerable users could be exploited simply by visiting a weaponized website in a typical drive-by attack. Secondly, that corporate users with a 'restricted mode' browsing policy are less susceptible than everyday users who tend to do everything in administrator mode. 

In the former instance, "If an attacker wants to inflict more serious damage he will need to also use a elevation of privilege (EoP) exploit to gain more access to the victim PC," notes Chester Wisniewski in Naked Security. In the latter instance, damage is immediate since the arbitrary code is executed in admin mode.

Microsoft recommends two immediate workarounds: a 'CVE-2013-3893 MSHTML Shim Workaround' Fix it solution (available here); and deployment of the Enhanced Mitigation Experience Toolkit (EMET, available here). While the latter is recommended, 'everyday users' are likely to be more comfortable with the Fix it.

There are other clues in Microsoft's advisory on what might be going on. These are targeted attacks currently concentrating on IE 8 and IE 9. That suggests spear-phishing attacks against specific targets, designed to drive the targeted users to a malicious website containing the exploit. 

A Reuters report raises the possibility of state involvement. "State-sponsored hacking groups are often willing to pay hundreds of thousands of dollars for zero-day vulnerabilities in widely used software such as Internet Explorer," it reports. "They typically use them on small numbers of carefully selected, high-value targets, to keep such flaws secret."

The irony is that in publishing the workaround, Microsoft is also publishing the flaw.The attack is currently targeted and geographically limited to Japan, notes Wolfgang Kandek, CTO at Qualys. "But with the publication of the shim, other attackers can now analyze the condition fixed and will be able to produce an equivalent exploit fairly quickly."

The likelihood, then, is what is currently a limited and targeted attack against IE 8 and IE 9 will soon become a more widespread attack potentially against all supported versions of Internet Explorer. The advice of Paul Henry, security and forensic analyst at Lumension, is compelling: as soon as possible "employ the mitigating factors [listed in the Microsoft advisory together the Fix it and EMET] and advise users about this so they will be less likely to click malicious links until you can apply the Fix it."

What’s hot on Infosecurity Magazine?