Microsoft has issued a Security Advisory warning Internet Explorer users of a targeted attack which exploits a previously unknown flaw to allow remote code execution. According to FireEye, the security firm credited with discovering the attack, all versions of Internet Explorer (v6 – v11) are vulnerable, although currently only versions 9 – 11 are being actively targeted.
The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections.
Microsoft is yet to issue a patch for this vulnerability but, according to its advisory, is preparing to do so:
On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
In the meantime, both FireEye and Microsoft have included methods in their reports which can be utilized to help mitigate the threat. Microsoft is urging IE users to download and install its Enhanced Mitigation Experience Toolkit (EMET). For more information on EMET and how it works I suggest reading through security expert Bran Krebs’ article here: Windows Security 101: EMET 4.0.
If the EMET solution appears a tad complex for less experienced users, FireEye has also included a couple of simple techniques which it claims “breaks the exploit”.
- Enable Enhanced Protected Mode (only available in IE 10 & 11) – Internet Explorer>Tools>Internet Options>Advanced>Security
- Disable the Adobe Flash plug-in, the attack will not work without Adobe Flash – Internet Explorer>Tools>Manage add-ons>Toolbars and Extensions>All add-ons
Operating from within a limited user account can also help limit any damage if the exploit does manage to get through. Of course, the simplest method is probably just to use an alternative browser, at least until Microsoft releases a patch.
Suggested Reading (sources):
- Microsoft Security Advisory 2963983
- New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks
- Microsoft Warns of Attacks on IE Zero-Day
Microsoft has now issued a security update to patch this vulnerability. The update will be delivered as per normal via Windows Updates – mine arrived several hours ago. This is a critical update, so if you haven’t enabled automatic updates, or performed a manual “check for updates”, now would be a good time to do so.
*XP USERS NOTE: Microsoft has also made this update available for XP.