17
Sep 13

Microsoft: IE Zero Day Flaw Affects All Versions

facebooktwittergoogle_plusredditpinterestlinkedinmail

Microsoft said today that attackers are exploiting a previously unknown, unpatched vulnerability in all supported versions of its Internet Explorer Web browser. The company said it is working on an official patch to plug the security hole, but in the meantime it has released a stopgap fix to help protect affected customers.

IEwarningMicrosoft said it is aware of targeted attacks that attempt to exploit the vulnerability (CVE-2013-3893) in IE 8 and IE 9 versions of the default Windows browser. According to an advisory issued today, the flaw is a remote code bug, which means malware or miscreants could use it install malware just by coaxing IE users to browse a hacked or malicious Web site.

The Fix It solution is available from this link. To apply it, click the Fix It icon above the Fix This Problem link. Applying this solution may limit some functionalities of IE, so if you run into problems after applying this interim patch, you can click the Fix It icon to the right of that “enable” button to reverse the update.

Update: As several readers have already noted in the comments, this Fix It solution is for 32-bit versions of IE only. In 64-bit Windows, you can tell whether the browser you’re using is a 32-bit or 64-bit version by opening the Windows Task Manager (Ctrl+Shift+Esc) and clicking the Processes tab. The number that appears after the process name (in this case, iexplore.exe) indicates the version in use.

Tags: , , ,

67 comments

  1. HUH?
    MS: “We’ve spotted a vulnerability that we don’t how to fix, just thought we’d let you know we know about it and that there’s a way to work around it until we can hire some smarter programmers.” ??? SMH

  2. It’s worth noting, per Microsoft Security Advisory 2887505, that “EMET 4.0, in the recommended configuration, is automatically configured to help protect Internet Explorer. No additional steps are required.” EMET 3.0 can be configured manually. See the advisory.

  3. I’ve been in IT a long time, and until recently I just accepted the fact that MS patch updates are a part of the IT life, no questions asked. It feels like I live in the world of Wall-es’ just going along on the infrared line, doing what we are told, “install these patches to plug that security leak.”

    Years ago, I could understand why MS had to release security patches, but I have lost touch with this understanding as to why there are so many security patches, week after week, month after month, year after year.

    What was patched this week, that couldn’t be patched last week? What patches are coming out next week, to fix a security flaw from this week, or last week? When does the madness stop? When will MS design a browser without so many flaws that need patched weekly? There is a Dilbert skit here…

    I stopped using IE a while back, but it is used in the business environment I work in. I truly feel that most of us, or those that use IE just go along and accept the fact that this is “as good as it gets…” no real significant improvements, just a software program called “patches” that must be installed weekly.

    BTW, I’m not against security updates, but I don’t see this happening as much or as often w/FF, Chrome, Safari.

    Thanks, I feel better airing my pet peeve.

    • > BTW, I’m not against security updates, but I don’t see this happening as much or as often w/FF, Chrome, Safari.

      Chrome updates silently, and we don’t spend as much time reading about the security updates. It doesn’t mean that they don’t happen.

      http://googlechromereleases.blogspot.com/

      • That aside, it looks like some applications (Java, Flash, Reader, Shockwave, Internet Explorer) are really “patched” and “patched” like an old pair of trousers. It is a structural problem and sometimes they don’t even fix a vulnerability, they just block a specific exploit using it.

      • Moike, maybe this is the exception that proves the rule, but Adobe released version 11.8.800.168 of Flash Player on Patch Tuesday (eight days ago) and Google still hasn’t updated Chrome with the corresponding Pepper Flash version, …170 (except for Chrome OS, which received a Stable channel update with that version yesterday).

        I see Google *just* announced a new Stable version of the Chrome browser but it doesn’t appear to include the Pepper Flash update. ಠ_ಠ
        http://googlechromereleases.blogspot.com/2013/09/chrome-stable-update.html

    • Ok. Internet explorer is shipped with windows. Windows represents the largest market share currently (when combined, over 90% of the market is windows based).

      Based on this information alone, it’s a smart idea (if you’re a malicious exploit designer) to design for internet explorer, because 90% of computers have it.

      Now, Years ago, when the internet consisted of geocities and bulletin boards, sure, you most likely didn’t need to update every week, because not that many people were online.

      Today, everyone’s connected (this includes mr malicious exploiter designer up there) some even with multiple devices, so it seems fitting that today you’d have more things to patch because you have more people with the capability to find flaws and exploit them..

      I mean seriously, you have people in India calling, saying ‘i am microsoft, our server found virus on your computer, here me send you link, you install and let one of our microsoft certified professionals fix your problem” (as they clean your temp files and leave the TVNC client wide open for them to come in later, all the while asking for your credit card numbers so they can drain your bank account and put you in debt)

      Now think about all you’ve said, and re-process it with that frame of mind.

      You’ll soon realize that these patches and updates are necessary for the protection of the sensitive information users place on their computers, companies keep in their workstations/servers, etc.

      • There is just that many more miscreants out there nowadays compared to years ago.

        This is also more proof that nowadays you don’t even have to click to install anything. You just browse the wrong webpage and your infected. And as recent reports show, it could even be a commerical website like NBC infecting you. Nowhere is safe and you have to blame these nerdy online communities that hate society, as much as you do Microsoft or other companies.

        • Indeed, I have to keep reminding people that the reason to install Adblock isn’t to block advertising, it’s to block the miscreants who join an ad network and use those networks to spread malware. While you can still end up getting linked to a malware-installing web server, or a trusted website can be hacked to install malware, most of the infections I’ve dealt with came from ad networks on completely unrelated pages. Until the ad networks get around to cleaning their house, and doing an adequate job to keep them clean, I’m blocking them with extreme prejudice and recommending that others do the same.

  4. The Utah Data Center/N.S.A./ Area 51/Room 641A/XKeyscore/PRISM

    In my humble opinion internet users need to quickly abandon Internet Explorer. Every month this year, Microsoft has had a security update for all versions of Internet Explorer. Doesn’t that tell you something? If hacker’s and cyber-criminals continue to target the browser with zero day exploits and malware, then maybe it’s time to get users away from it until Microsoft gets their act together.

    I was told by a guy who works at a Office Depot that they can’t sell a Windows 8 machine’s without installing classic shell with the start button. If people can’t function without the start button, do expect them to install the patches to prevent zero day exploits.

    By the way, I know this is O.T, but Firefox 24 was released today.

    • > In my humble opinion internet users need to quickly abandon Internet Explorer. Every month this year, Microsoft has had a security update for all versions of Internet Explorer.

      Chrome has had 272 updates this year. Should we all abandon Chrome also?

      • The Utah Data Center/N.S.A./ Area 51/Room 641A/XKeyscore/PRISM

        At least with with third party browsers you don’t have to do a reboot and hope the security patch doesn’t screw up Windows

    • You do realize if you ‘abandon internet explorer’ the target will simply be whatever people switch to…or maybe you don’t. An application must be secure in every aspect to be totally secure but only vulnerable in one aspect to be vulnerable, this will always be in favor of those writing exploits.

      • Many report that IE is no longer the most popular browser, falling to second place behind Chrome: http://en.wikipedia.org/wiki/Usage_share_of_web_browsers#Summary_table
        However, malware coders don’t seem to have shifted their focus to Chrome. (Is this because it’s easier to find vulnerabilities in IE? Or is it because IE users tend to be unsophisticated, IMHO, and therefore easier to fool into downloading malware?)

      • The Utah Data Center/N.S.A./ Area 51/Room 641A/XKeyscore/PRISM

        But then you wouldn’t have to deal with the Active-X controls which is one of the biggest faults of Internet Explorer in my opinion.

    • Which is why I’ve turned by back completely on Microsoft.

  5. Lysergic Acid Diethylamide

    Brian, speaking of patches, maybe make a post or addendum about Oracle’s Java being updated to “Version 7 Update 40″ (!!).

    https://blogs.oracle.com/java/entry/java_se_7_update_40

    I was so surprised when I went to update it, as I thought the latest version was Update 25, that I checked various tech sites to see if the Java Control Panel was actively serving malware. The version number had jumped 15 in one update! Anyway, even though I updated it, I still keep it disabled in the browser :-Þ

  6. Note that the Fix It is only for the 32-bit version of Internet Explorer. If you’re running 64-bit IE, then you’re out of luck.

  7. Pity that the Microsoft Security Advisory does not say which is the fix enabler and which is the fix disabler. Running either leaves me none the wiser. I suppose that Microsoft Security Advisory people will catch on eventually.

    Does nobody at MS check these things?

    • D’oh! I must get my eyes tested!!!

    • Checked it at 7:41 EDST. It shows “Enable-Disable” above the icon. Are you referring to the actual icon being reused or the fact that “E-D” was missing? If it was the latter, now that’s funny!

  8. Thank God they didnt blame it on java this time…..lol

  9. Its not just Microsofts issue. Look at Java. Flash. Firefox and more.

    Its a trend thing. The bad guys are very aware of what to exploit. YEARS ago, I was researching a potential issue and I ran across the HTML page that showed hundreds upon hundreds of attack types on one page. It was pretty obvious at that time that the bad guys were simply looking for things that would gain them access to a machine and at best, give them root access.

    There are alot of velnerabilities out there that we – and so that the bad guys – do not know about. Its the complexity of the code. If you research what the “expected amount of errors in lines of code” its staggering. The error rate per line is not high, but when you have 100,000-plus lines of code, those potential issues are there.

    Machine language, code, the program, whatever you wish to call it is only as good as the programmers are. They have a budget, a deadline and limited amount of resources. Some code strict, others do it their own way. Somethings work, others don’t so they may add a work around to get it to work. That can add to issues.

    The problem with Microsoft is they don’t start from scratch on any product. In their mind, why should they? if they have something thats popular, and works, if issues pop-up we can address them later.

    I’d like to know the true meaning of the name “windows”. In the past I personally have seen machines connecting to microsoft.com and doing what appears to have been a dumping of a text file at a microsoft URL. I don’t know if that is common practice, but it was noted and reported.

    Coding is like, hummmm taking a sacred writing and changing it to reflect the comprehension of the people who currently read that sacred piece. Thats possible, but now try a re-write without changing the overall perception of the document. Thats when it gets scary. That is the way coding goes.

    Code being complex cannot simply be used in chunks, or snap-ins due to they way all the software works. Keeping the software proprietary means someone has the potential to brand, trademark and corner-market an idea or strategy.

    Some code goes ALL the way back to the beginning of when the product was developed from the ground up. There are MANY programs and features out there that I call the Perverted Plaster of Paris hut. You start out with a nice clean hut, and over time, as cracks and other issues arise, you simply repair what is needed with some good ol’ plaster of paris. over time that hut looks demented due to the amount of issues found within it.

    Its a never ending battle. No matter the software, if it is popular, people like Fame for finding an issue. Fame for expoiting an issue and Ca$h for getting root access from a flawed product.

  10. That is the main reason our company does not use IE. 0-day flaws everywhere… Mozilla + NoScript = true protection.

    • Rabid Howler Monkey

      Actually, there’s Enhanced Security Configuration (ESC) for IE that, more or less, behaves like Firefox + NoScript. Unfortunately, Microsoft has seen fit to only provide ESC for IE on its Windows Server OSs.

      If one looks at Microsoft’s security advisory here:

      http://technet.microsoft.com/en-us/security/advisory/2887505

      A mitigation for this exploit, along with EMET (which is available for both Windows client and server OSs), is ESC for IE … available on Windows server OSs only.

      • ESC is nothing more than an easy way to tighten IE’s security settings per KB 815141… if someone with a client Windows OS wants to enable those settings manually (or perhaps via GPO in a workplace setting) then go for it. The main modifications are 1) increasing the Internet security zone setting to High and 2) disabling all automatic detection of the Local intranet zone, although there are others tweaks per the article.

        • Rabid Howler Monkey

          ESC for IE also provides an easier mechanism to add one’s legitimate and frequently visited sites to the trusted zone. One merely navigates to the site and a few clicks later it is added to the trusted zone. There’s no typing in URLs via the keyboard (which is prone to error) or copying URLs from the site’s tab and pasting it to add the site to the trusted zone.

          Ease of use has had a lot to do with the success of NoScript.

  11. Just wait a little while until after Microsoft release the last updates for windows XP next April, then you will see more exploits than you can shake a stick at, most of China amongst others runs on XP. Be afraid be very afraid!

    • I can’t even run xp on my network anymore. Even after a full format it doesn’t last more then a month before it starts crashing and I can’t afford any new hdds. Most of my friends that use xp, and actually use their computer alot, also have problems with it. XP just becomes totally unusable very quickly no matter what patches MS comes out with.

      I have to install lightweight linux distros to use xp in a vm now. For things like printing coupons or using windows only programs on older machines. Linux works fine with no issues and we can do all the same things.

    • “Just wait a little while until after Microsoft release the last updates for windows XP next April, then you will see more exploits than you can shake a stick at, most of China amongst others runs on XP. Be afraid be very afraid!”

      I thought they, being China, used a copycat version?

      • If that’s a rhetorical question meant to disparage the Chinese’s ability to innovate, I will point out that Korean-designed and -built cars used to be craptacular but those produced now are among the best in the U.S. (see Consumer Reports) yet they still seem to have a price advantage.

        If you meant “pirated” instead of “copycat,” I will say I have read that somewhere myself.

        • Sweden designs our secret computers ;)

          • You misspelled “Snowden.” :p

            (Who’s the ‘we’ in “our”?)

            But seriously…
            I received CooloutAC’s comment (the one I’m replying to) via email but I accessed this webpage to see which comment it’s a reply to. When I got to the comment form at the bottom of the page, “CooloutAC” was in the NAME field and a corresponding address (one I had never seen before) was in the EMAIL field! o_O (I’m using Firefox 24.0 on Windows XP, if it matters.)

  12. There’s also a new update for Adobe Flash, but only for IE (the ActiveX version) as a non-IE version hasn’t been posted. The Adobe front page leads to a stub installer, but the complete installer can be downloaded directly from the webpage below and will bring the AX Flash version to 11.8.800.174 (the non-AX version remains at 11.8.800.168).

    http://www.adobe.com/products/flashplayer/distribution3.html

    • The AX (IE) version of Flash has now been updated to v11.8.800.175, while the non-IE plugin version remains at 11.8.800.168.

  13. Msft Fix It is only for the 32 bit versions…………………

  14. The Utah Data Center/N.S.A./ Area 51/Room 641A/XKeyscore/PRISM

    Microsoft rushes out emergency fix for Internet Explorer after “targeted attacks”
    http://feedproxy.google.com/~r/eset/blog/~3/LpBtmNoVIeg/?utm_source=feedburner&utm_medium=email

  15. what about me? i have iexplore 10.0.9200.16686

  16. Hello Brian what about the new Java updates? we have to delete the old ones? or ?

    • “…what about the new Java updates? we have to delete the old ones?”

      Tim, on Java’s faqs/kb they do suggest to delete old java versions before installing new version. Though, I always wait until after I update new versions to make sure it works with all in-house programs.

      If you don’t delete the old Java versions, they just hang out with the new versions in the P&F folder.

  17. Applying the MS FixIt fix to my Win 7 64bit laptop with IE10 messed up the computer pretty badly. I had to go back to a restore point just before I installed the fix, and that corrected things. I never use IE, only chrome or firefox.

    • Did you not see the notice on the FixIt webpage that it was for 32-bit versions ONLY?

      • How hard would it have been for the Fix It patch to verify that it was in a 32-bit environment before proceeding? And, why should 64-bit Windows users not have a patch?

        I fault the programmers at Microsoft, not Doug, for the SNAFU.

  18. Great feedback with good advice from many different opinions.

    Several people noted using FF (Moz) + NoScript. Since I started reading Krebs (<=mo), I am now running NoScript with FF, and I believe it is helping protect my surfing onus, while I am learning about how NS works. I still have to choose "allow all this page" too many times when I want to watch a news video clip (ex). When I look at the NS white list and see what sites are added, it is a bit overwhelming to figure out what is good and what is bad. Am I allowing potentially bad sites to the white list bc I choose "allow all this page?"

    Today I noticed my first CSS (XSS) potential contamination message when I wanted to watch a CBS Miami video news clip. No matter how many times I chose "allow all this page" (it still blocks quite a bit of add-ons, etc) and the website reloads, but the video news clip would not load to play. So, I gave up and figured it was in my best interest.

    Good stuff, thank you!

  19. The Utah Data Center/N.S.A./ Area 51/Room 641A/XKeyscore/PRISM

    The key words here are “disable Active Scripting”

    “Upon applying the Fix it solution, users are also advised to set their internet and local intranet security zone settings to “high” to prevent exploitation of the bug, Childs wrote. While browsing, users should also disable Active Scripting – a Windows feature used to implement component-based scripting support – or configure IE so they are prompted when Active
    Scripting runs.”

    http://www.scmagazine.com/microsoft-releases-temporary-fix-for-new-ie-zero-day-exploited-in-the-wild/article/312158/?DCMP=EMC-SCUS_Newswire#

    • > The key words here are “disable Active Scripting”

      Hear, hear! Better yet, “disable Internet Explorer”…

      The only thing I use ever use IE for anymore is Windows Update. The house-of-cards engineers at Microsoft can’t even patch their own product correctly without an interim (32-bit only) Fix It card? Pardon my language, folks, but that’s piss-poor programming.

  20. I remember back in the day companies use to postpone releasing a product because they were still fixing bugs in it. After release you might get one patch that fixed the bugs they didn’t find.

    Now it seems that companies rush out a product to meet a deadline (bug free or not) knowing that users will find and report the bugs to them. Not only are users hurt by the bugs but they also don’t get any compensation for doing what the companies should be doing before release in the first place.

    “The bugs in that version are fixed in this new version. Oh … and by the way your old licenses are not valid with the new version so you will need to purchase them all again … even though the new version is just the old code with some changes made to it.”

    It’s all a load of carp.

    • Indeed, the .0 (point-zero) major releases ​of many software products have been notoriously buggy. Microsoft maintains that tradition with Windows 8.0 — I wonder what market analysis geniuses and/or committee group-think led them to omit the Start button?

      ​Microsoft’s not very good at counting, either — how about that Windows version numbering system?
      1.0 (?)
      2.0 (?)
      3.0 / 3.1 / 3.11 (Windows / Windows for Workgroups)
      95 (Version 4?)
      98/98SE (Version 5/5.1?)
      Me (Version 6?)
      XP (Version 7?)
      Vista (Version 8?)
      7 (Version 9?)
      8 (Version 10?)​

      (I’m not sure where to put NT 3.1, 3.5, 3.51, 4.0 or 2000 ;-)

      • Then there is the long standing belief that you should never buy an even numbered major release from MS. The even number major release is where they attempt all sorts of fancy new features, the following odd number major release is where they fix all the bugs introduced in the previous major version.

  21. I just got to read this.

    I went to the URL for the fix.
    It has two versions, 51001 and 51002.
    Maybe I did not read the page carefully enough, but how does one know which one to use ?

    (There is one part of one application that forces me to use IE).

    • Although it isn’t actually in “fine print”, there are labels aside those two options’ buttons that refer to enabling and disabling the fix — enabling applies the fix, disabling removes the fix (in case a future Windows Update requires and doesn’t automatically do so).

  22. Thanks, JimV.

    Now I see what it says above the button.
    What confused me :
    1) The enable/disable statements are separated from the buttons by a horizontal line
    2) Under both buttons it says “Fix this problem”

    Still, if I read the whole thing carefully I should have been able to figure it out.

  23. Great to know about the fix, at least they are admitting it’s gonna take time to get a permanent fix.

    • With all due respect, that’s what a Microsoft sock puppet would say.

    • Maybe I’m stupid, but it’s hard for me to understand if they’ve identified the vulnerability and they know how to temporarily Fix It, why can’t they just permanently fix it in the first place? Is there yeast that needs to rise, or what?

      Beyond that, they put the onus on the end user to undo the temporary Fix It before applying the permanent fix?? Can’t their permanent fix undo the temporary Fix It during a reboot?

      Next they’ll be asking us to burn a live Linux CD with the final fix — it’s as though the Windows OS is really just ONE BIG ROOTKIT! ;-) Actually, for all the XP users out there, the final fix next April may very well be a Linux CD…

      • Identifying the general buggy component is much easier than determining a safe and correct fix.

        Note that disabling the component disables a lot more than just the precise buggy code path.

        Fixing also involves a lot of testing to ensure nothing else breaks because of the fix, and sometimes to see if there are other instances of the problem elsewhere.

  24. Microsoft Fix it 51001 & Microsoft Fix it 51002 applied. Hope that helps. Seems a major problem (affects even IE 6).

    • If you applied both FixIt patches in that sequence (“Enable” with 51001 then “Disable” with 51002), you are not protected as 51002 undoes whatever 51001 actually does.

  25. So what is the correct sequence if any?

    • To protect your computer(s) from the exploit, run 51001 to enable the FixIt changes that will do so — then, leave it alone. If at some point there is a formal patch on one of the monthly update cycles that might require that FixIt patch to be removed before the permanent patch is applied, you would need to run 51002 to disable or “undo” whatever 51001 changes. Microsoft may (or may not) build that step into the permanent patch, but that detail will be presented in the deployment guidance that is posted before the monthly Patch Tuesday releases. If you monitor Brian’s website or get its notices of new postings, he should cover that aspect in his monthly discussion of the patch cycles for MS and others.

  26. Well, folks, tomorrow’s the Big Day (a.k.a. Patch Tuesday) –

    Will Microsoft be able to craft a patch in 20 days that will properly resolve this vulnerability?

    Moreover, does anyone care to place a bet on whether they are able to write a software routine that can Undo the slapdash stopgap FixIt patch without the end user having to go back and apply the UnFixIt manually? (Maybe they’ll label the FixIts a little more clearly, too?)

    SMH. Why have so many people come to tolerate such goofiness from Microsoft, yet defend them so vociferously? Is this the digital equivalent of Stockholm Syndrome?

    P.S. BTW, the slickest piece of self-updating software I know of (and use everyday) is ProcessLasso by Bitsum.com, first discovered on Giveawayoftheday.com. ProcessLasso provides a choice of manual notification or fully automatic operation coupled with a choice of main releases only or beta experimentals, a strategy that works well for both novices and tweakers. Lauding them is a case of “Credit where credit is due.” Full disclosure: I have no financial interest in ProcessLasso, I just think it’s a great piece of software!

    • Well, whadya know, the newly hired programmers fixed it right:

      “Microsoft late last month released a stopgap “Fix It” solution to block exploits against the zero-day flaw, and the good news is that if you already applied that solution, you don’t need to undo those changes before applying this update.”

      From: Adobe, Microsoft Push Critical Security Fixes — Krebs on Security
      https://krebsonsecurity.com/2013/10/adobe-microsoft-push-critical-security-fixes-3/

      Thanks for the understandable update, Mr. Krebs.