Microsoft Subnet An independent Microsoft community View more

Microsoft warns Internet Explorer 6 to 11 vulnerable to zero-day spotted in the wild

FireEye researchers spotted a new zero-day in the wild, with all versions of IE vulnerable, but with IE 9 -11 being targeted for 'Operation Clandestine Fox.'

"Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11," states a security advisory for CVE-2014-1776 that Microsoft released late on Saturday.

FireEye Research Labs identified this new zero-day that is actively being exploited in an ongoing campaign dubbed "Operation Clandestine Fox." The zero-day is "significant" since the vulnerable versions of Internet Explorer "represent about a quarter of the total browser market." More specifically, FireEye said the "vulnerability affects IE 6 through IE 11, but the attack is targeting IE 9 through IE 11. This zero-day bypasses both ASLR and DEP."

Microsoft said:

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

FireEye said, "The APT group responsible for this exploit has been the first group to have access to a select number of browser-based 0-day exploits (e.g. IE, Firefox, and Flash) in the past. They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure."

Although the researchers' investigation is still ongoing, they explained some exploitation details, as the "exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows' ASLR and DEP protections."

During a BSides presentation in February, a Bromium Labs' security researcher bypassed "all of the protections" in Microsoft's free Enhanced Mitigation Experience Toolkit (EMET) 4.1. Shortly thereafter, Microsoft released a tech preview of EMET version 5. However, FireEye researchers are recommending EMET as mitigation for the current zero-day exploiting IE.

Using EMET may break the exploit in your environment and prevent it from successfully controlling your computer. EMET versions 4.1 and 5.0 break (and/or detect) the exploit in our tests. Enhanced Protected Mode in IE breaks the exploit in our tests. EPM was introduced in IE10. Additionally, the attack will not work without Adobe Flash. Disabling the Flash plugin within IE will prevent the exploit from functioning.

Microsoft is currently investigating and working on a fix, but here we venture into a zero-day being exploited in the wild after security patches for XP have come to an end. However, XP was stuck on IE 8, which is vulnerable but not currently being targeted for "Operation Clandestine Fox."

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies