Today Microsoft released Security Advisory 2458511 to warn Internet Explorer users of a new zero-day attack that Microsoft has seen in the wild. It affects versions 6, 7, and 8, although Microsoft says that the default installations of IE8 make that version of the browser harder to exploit.
UPDATED: Security researchers at Symantec reported the attack to Microsoft and earlier today posted details. I'll summarize. Attackers figured out specific exploits for older versions of IE, 6 and 7 specifically. They hacked otherwise innocent Web servers and added a page with malware. They sent e-mails to specific individuals within various organizations. When those individuals visited the page, the malware told them which version of IE they were using. If it was not IE 6 or 7, the victim saw a blank Web page. If it was, the nasty page downloaded a Trojan that allowed the hacker to install commands disguised as .gif files. The victim need do nothing but visit the Web page. The owners of identified Web sites hosting the malware pages have been contacted and the files removed, but there's no telling how many more are still out there.
It is unlikely that a patch will be available by next week's Patch Tuesday, says Jason Miller, data and security team leader, Shavlik Technologies, Minneapolis, MN. However Miller says if Microsoft sees an uptick in this attack, he would expect Microsoft to release an out-of-band patch.
"The vulnerability exists due to an invalid flag reference within Internet Explorer. It is possible under certain conditions for the invalid flag reference to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution. At this time, we are aware of targeted attacks attempting to use this vulnerability."
IE 8 is less vulnerable due to "defense in depth protections" from its Data Execution Prevention (DEP) feature, which Microsoft says is enabled by default in Internet Explorer 8 on all supported Windows platforms. While Microsoft PR says that " the impact of this vulnerability is extremely limited and we are not aware of any affected customers," the security advisory also notes that black hats are trying to take advantage of the hole in the wild. Its says, "At this time, we are aware of targeted attacks attempting to use this vulnerability."
Microsoft says that IE 9 isn't affected, but remember IE 9 isn't available for XP users, not even those who are using XP SP3, which Microsoft is still supporting.
While no patch is available yet, Microsoft has offered several workarounds including:
- Override the Web site CSS style with a user-defined CSS (that's not going to make a lot of Web developer's happy).
- Deploy Microsoft's Enhanced Mitigation Experience Toolkit, is a utility that Microsoft says helps prevent vulnerabilities in software from successfully being exploited. For more information, see Microsoft Knowledge Base Article 2458544.
- IE7 users are urged to enable the Data Execution Prevention (DEP) feature, although this may cause conflicts with some browser extensions.
- Read e-mails in plan text
- Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones