Microsoft: Beware IE Zero-Day Attacks

  /     /     /  
Publicated : 22/11/2024   Category : security


Microsoft: Beware IE Zero-Day Attacks


Microsoft offers temporary fix for security flaw in most versions of Internet Explorer, but doesnt yet have a patch to stop attackers from remotely executing code.



20 Great Ideas To Steal In 2013 (click image for larger view)
Internet Explorer users, watch where you browse.
Microsoft issued that warning Tuesday after spotting some in-the-wild attacks targeting a new bug in IE. There are only reports of a limited number of targeted attacks specifically directed at Internet Explorer 8 and 9, although the issue could potentially affect all supported versions -- meaning also Internet Explorer versions 6, 7, 10 and 11 -- said Dustin Childs, a group manager for communications in Microsofts Trustworthy Computing group, in a
blog post
.
We are actively working to develop a security update to address this issue, Childs said, though he provided no timeline for when that might happen.
[ Could crowdsourcing help in instances like this? Read
HP Portal Crowdsources Security Threat Intelligence
. ]
According to Microsoft security engineer Neil Sikka, the IE bug (
CVE-2013-3893
) that attackers have been exploiting enables them to bypass the
address space layout randomization
(ASLR) attack-blocking feature built into newer versions of IE, and gain the ability to remotely execute code. The exploit was attacking a
use after free
vulnerability in IEs HTML rendering engine (mshtml.dll) and was implemented entirely in JavaScript -- no dependencies on Java, Flash etc. -- but did depend on a Microsoft Office DLL, which was not compiled with ASLR enabled, Sikka said in a
blog post
.
Microsofts related
security advisory
said the most likely mode of exploitation would be for attackers to host malicious websites or else submit specially crafted content that could exploit this vulnerability to third-party- sites that accept user-provided content or advertisements. Accordingly, Microsoft said to
beware of any links
of unknown origin that might arrive via email, instant messaging or social networks, since they might lead to a site designed to exploit the vulnerability.
Related attacks, if successful, would give attackers code the same user rights as the current user, meaning they might be able to install programs; view, change, or delete data; or create new accounts with full user rights. Accordingly, attackers might be able to do less damage against non-administrator or relatively locked-down user accounts.
Not all types of IE are at risk from exploits of this bug. According to Microsofts security advisory, by default, Internet Explorer on Windows Server 2003, 2008, 2008 R2, 2012, and 2012 R2 runs in a restricted mode, known as enhanced security configuration, which mitigates the vulnerability. Likewise, by default all supported versions of Microsoft Outlook, Microsoft Outlook Express and Windows Mail open any received HTML in a restricted zone, which would also mitigate the vulnerability.
How can businesses protect themselves? Microsoft has released a temporary fix it solution for 32-bit versions of Internet Explorer that its calling the
MSHTML Shim Workaround
. This Fix it solution is not intended to be a replacement for any security update. We recommend that you always install the latest security updates, according to Microsofts security advisory. However, we offer this Fix it solution as a workaround option for some scenarios, such as the current one, in which Microsoft has yet to patch the flaw thats being exploited. For this workaround to work, however, a PC must first have installed a
cumulative security update for IE
released on Sept. 10 by Microsoft.
Microsofts Sikka said that the companys
Enhanced Mitigation Experience Toolkit
(EMET) -- version 3.0 or 4.0 -- can also be used to help prevent related exploits from being successful. This approach, notably, will work not only with 32-bit but also 64-bit versions of IE.
Tuesdays Fix It release was the first time in four months that Microsoft has had to release an emergency workaround for a flaw thats being actively exploited by attackers, said Chester Wisniewski, a senior security advisor at Sophos Canada, in a
blog post
.
But are the EMET or Fix It mitigation strategies worth the effort? For business users, the answer is yes, said Wisniewski. But consumers might spare themselves the hassle, and instead adopt a simpler -- perhaps temporary, perhaps not -- fix. My advice for non-corporate PCs is to simply use another browser until Microsoft is able to deliver a fix, he said.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft: Beware IE Zero-Day Attacks