Install IE FixIT to Avoid Zero Day Attack

Summary:

  • This vulnerability affects: Probably all current versions of Internet Explorer (IE), but the targeted exploit only affects IE 8 and 9
  • How an attacker exploits it: By enticing one of your users to visit a web page containing malicious content
  • Impact: In the worst case, an attacker can execute code on your user’s computer, potentially gaining complete control of it
  • What to do: Apply Microsoft’s IE FixIt, or consider the other workarounds below

Exposure:

Today, Microsoft released a critical out-of-cycle security advisory warning customers of a serious new zero day vulnerability affecting Internet Explorer (IE), which attackers are currently exploiting in the wild. The flaw likely affects all current versions of IE (6-11), but Microsoft claims the targeted attack only goes after IE 8 and 9 users.

The early advisory doesn’t describe the vulnerability in much technical detail, but what it does describe sounds very much like a  “use after free” vulnerability involving the way IE handles certain HTML objects. Regardless of the technical details, the scope and impact is the same. If an attacker can lure you to a web site containing malicious code (including a legitimate web site which may have been hijacked and booby-trapped), he could exploit this vulnerability to execute code on your computer, with your privileges.  As always, if you have local administrator privileges, the attacker could exploit this issue to gain complete control of your computer.

A remote code execution vulnerability is bad enough in theory, but knowing attackers found this one first, and are already exploiting it in the wild makes this flaw a pretty critical issue. The good news is Microsoft has released a FixIt to mitigate the risk of this flaw. We highly recommend you apply that FixIt, and also consider the other protective workarounds mentioned below.

Solution Path:

Since this vulnerability was first discovered in the wild, Microsoft has not yet had time to release a patch. However, they have released a FixIt workaround to temporarily mitigate the attack. If you use IE, I recommend you apply the FixIt immediately.

It’s important to note FixIts are temporary workarounds. They don’t replace full patches. We expect Microsoft to release a full patch for this flaw in the future, perhaps even in an out-of-cycle IE bulletin this month.

Finally, though the FixIt prevents attackers from exploiting this issue, we also offer a few other workarounds below. Some of these tips can help mitigate many web-based, memory-related vulnerabilities, so you might consider making them your regular practice:

  • Temporarily use a different web browser – I’m typically not one to recommend one web browser over another, as far as security is concerned. They all have had vulnerabilities. However, this is a fairly serious issue.  So you may want to consider temporarily using a different browser until Microsoft patches.
  • Install Microsoft EMET – EMET is an optional Microsoft tool that adds additional memory protections to Windows. I described EMET in a previous episode of WatchGuard Security Week in Review. EMET is a fairly complex tool, so I only recommend it to more advanced administrators. Nonetheless, installing it could help protect your computer from many types of memory corruption flaws, including this one.
  • Configure Enhanced Security Configuration mode on Windows Servers – Windows Servers in Enhanced Security Configuration mode are not vulnerable to this attack.
  • Make sure your AV and IPS is up to date – While not all IPS and AV systems have signatures for all these attacks yet, they will in the coming days. Be sure to keep your AV and IPS systems updating regularly, to get the latest protections.

For All WatchGuard Users:

Our IPS signature team belongs to the Microsoft Active Protections Program (MAPP). According to their advisory, Microsoft is sharing information about this attack with MAPP partners now. Due to this partnership, we’ll likely have a signature for this attack shortly. Regardless, we still highly recommend you apply Microsoft’s FixIt to protect your users.

Status:

Microsoft has released a FixIt to mitigate the issue. They plan on releasing a full patch in the future.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

Trackbacks/Pingbacks

  1. MS Patch Day Fixes 0day and Warning for Adobe Users | WatchGuard Security Center - October 3, 2013

    […] Patch Day, except that one of the Critical updates fixes the very serious zero day IE flaw, which I warned you about a few weeks ago. Since that initial warning, more and more attackers have started […]

  2. IE Update Fixes Two Zero Day Vulnerabilities | WatchGuard Security Center - October 8, 2013

    […] that attackers are exploiting in the wild. We’ve warned you about the first in a previous post, and just learned about a second one […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: