Microsoft Subnet An independent Microsoft community View more

Hackers exploit 0-day: Kick IE to the curb or catch a nasty Poison Ivy itch?

Do you use Internet Explorer 6, 7, 8 or 9? If so, then you might catch a nasty itch since malicious hackers are using the IE browsers to install the Poison Ivy Trojan—malware that can steal data or take remote control of PCs. Microsoft has a workaround, but some security experts advise users to kick IE to the curb until Microsoft issues a patch.

Do you use Internet Explorer 6, 7, 8 or 9? If so, then you might catch a nasty itch since malicious hackers are using those IE browsers "to install the Poison Ivy Trojan—malware that can steal data or take remote control of PCs," the BBC warned. This new zero-day can potentially infect "hundreds of millions" of IE browsers. In fact, IE6 - IE9 "accounted for 53% of all browsers used worldwide in August." PCWorld jumped all in by advising you to "dump Internet Explorer until Microsoft issues patch."

Just how bad is it? It wasn't included in Microsoft security patches this month, but then Microsoft Security Response Center issued a security advisory after "reports of only a small number of targeted attacks." Conversely, Rapid7 saw malicious attackers exploiting it in the wild and "strongly advised" users to kick IE to the curb until it's patched. Metasploit also released the new "0-day exploit for IE 7, 8 & 9 on Windows XP, Vista and 7." HD Moore, creator of Metasploit, must agree the exploit is sweet as he retweeted:

The Microsoft Security Advisory states:

A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

If you use Outlook, then emails open in the "Restricted sites zone which disables ActiveX controls." However "if a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario." Microsoft also warned:

An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.

If you are using Windows 8 and the bundled Internet Explorer 10 that came with it, you'll be safe, as Microsoft says IE 10 "is not affected." While Microsoft is working to develop a security update "to address this targeted issue," it suggested the following "workarounds and mitigations."

  • Deploy the Enhanced Mitigation Experience Toolkit (EMET)

    This will help prevent exploitation by providing mitigations to help protect against this issue and should not affect usability of websites.
  •  Set Internet and local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones

    This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones

    This will help prevent exploitation but can affect usability, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.

You may recall that at Black Hat USA, Microsoft released the EMET 3.5 technology preview, which incorporated one of the BlueHat Prize finalist's defensive technologies. However Andrew Storms, director of security operations at nCircle Security, said "people would prefer the bug fix" as opposed to deploying EMET. "EMET is one of those tools that takes time to deploy, [so] it's not a good idea to try and rush the deployment right now. It's kind of like a self-defeating process. Microsoft would like more people to use EMET, but given the few zero-days and relative quickness to patch things, the need for EMET seems to be reduced."

Meanwhile, Raw Story reported, "Some security experts said computer users should avoid Internet Explorer, even if they install Microsoft’s EMET security tool." Tod Beardsley, an engineering manager at Rapid7, said, “It doesn’t appear to be completely effective.” McAfee Security's Dave Marcus said installing EMET "might be a daunting task" and suggested, “For consumers, it might be easier to simply click on [Google's] Chrome.” Firefox is also an option. If you don't switch browsers, then definitely use the workarounds until Microsoft issues a patch to keep your PC safe from catching Poison Ivy.

Regarding security advisories, you should also note this heads-up warning: "Microsoft strongly advises that customers prepare for the Security Advisory 2661254 October Windows Update distribution, which will raise certificate requirements for RSA keys to a minimum 1024 bits in length. More details can be found in the Microsoft Security Response Center blog post and in the Knowledge Base article. "

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies