Posts Tagged: IE 0day


1
May 14

Microsoft Issues Fix for IE Zero-Day, Includes XP Users

Microsoft has issued an emergency security update to fix a zer0-day vulnerability that is present in all versions of its Internet Explorer Web browser and that is actively being exploited. In an unexpected twist, the company says Windows XP users also will get the update, even though Microsoft officially ceased supporting XP last month.

IEwarning

The rushed patch comes less than five days after the software giant warned users about active attacks that attempt to exploit a previously unknown security flaw in every supported version of IE. This flaw can be used to silently install malicious software without any help from users, save for perhaps browsing to a hacked or malicious site.

“We have made the decision to issue a security update for Windows XP users,” writes Dustin C. Childs, group manager, response communications at Microsoft. “Windows XP is no longer supported by Microsoft, and we continue to encourage customers to migrate to a modern operating system, such as Windows 7 or 8.1. Additionally, customers are encouraged to upgrade to the latest version of Internet Explorer, IE 11.”

Microsoft says the majority of customers have automatic updates enabled and will not need to take any action because protections will be downloaded and installed automatically. Windows users who don’t take advantage of the automatic updates feature of Windows (or who don’t wish to wait around for it to install the patch) can do so by visiting Windows Update.


27
Apr 14

Microsoft Warns of Attacks on IE Zero-Day

Microsoft is warning Internet Explorer users about active attacks that attempt to exploit a previously unknown security flaw in every supported version of IE. The vulnerability could be used to silently install malicious software without any help from users, save for perhaps merely browsing to a hacked or malicious site.

In an alert posted on Saturday, Microsoft said it is aware of  “limited, targeted attacks” against the vulnerability (CVE-2014-1776) so far.

Microsoft’s security advisory credits security firm FireEye with discovering the attack. In its own advisory, FireEye says the exploit currently is targeting IE9 through IE11 (although the weakness also is present in all earlier versions of IE going back to IE6), and that it leverages a well-known Flash exploitation technique to bypass security protections on Windows.

ie0daymitigationMicrosoft has not yet issued a stopgap “Fix-It” solution for this vulnerability. For now, it is urging IE users to download and install its Enhanced Mitigation Experience Toolkit (EMET), a free tool that can help beef up security on Windows. Microsoft notes that EMET 3.0 doesn’t mitigate this attack, and that affected users should instead rely on EMET 4.1. I’ve reviewed the basics of EMET here. The latest versions of EMET are available here.

According to information shared by FireEye, the exploit also can be blocked by running Internet Explorer in “Enhanced Protected Mode” configuration and 64-bit process mode, which is available for IE10 and IE11 in the Internet Options settings as shown in the graphic above.

This is the first of many zero-day attacks and vulnerabilities that will never be fixed for Windows XP users. Microsoft last month shipped its final set of updates for XP. Unfortunately, many of the exploit mitigation techniques that EMET brings do not work in XP.


8
Oct 13

Adobe, Microsoft Push Critical Security Fixes

Adobe and Microsoft today each issued software updates to fix critical security issues in their products. Microsoft released eight patch bundles to address 26 different vulnerabilities in Windows and other software – including not just one but two zero-day bugs in Internet Explorer. Adobe’s patches fix a single critical vulnerability present in both Adobe Acrobat and Reader.

crackedwinFour of the eight patch bulletins from Microsoft earned its most dire “critical” rating, meaning the updates fix problems deemed so severe that miscreants or malware could use them to break into vulnerable systems without any help from users. The patches impact a broad range of Microsoft products, including Windows, IE, SharePoint, .NET Framework, Office and Silverlight.

Front and center in the Microsoft patch batch is MS13-080, which addresses the zero-day IE vulnerability (CVE-2013-3893) that Microsoft first warned about on Sept. 17, as well as nine other security flaws in the default Windows Web browser. Amping up the threat level on this flaw, exploit code allowing attackers to leverage the flaw was released publicly last week as a module for the Metasploit exploit framework, a penetration testing toolkit.

Microsoft late last month released a stopgap “Fix It” solution to block exploits against the zero-day flaw, and the good news is that if you already applied that solution, you don’t need to undo those changes before applying this update. The bad news is that this isn’t the only zero-day vulnerability fixed in the IE patch bundle: Researchers at Trustwave Spiderlabs say they’ve confirmed that attackers are already exploiting one of the other flaws fixed in this IE update  (CVE-2013-3897).

Continue reading →


14
May 13

Microsoft, Adobe Push Critical Security Updates

Microsoft and Adobe today each released updates to fix critical security holes in their software. Microsoft’s patch batch tackles at least 33 vulnerabilities in Windows and other products, including a fix for a zero-day vulnerability in Internet Explorer 8 that attackers have been exploiting. Separately, Adobe pushed security updates for Flash Player, Adobe Reader, Acrobat and Adobe AIR.

crackedwinMicrosoft’s Patch Tuesday bundle includes two separate updates for Internet Explorer; the first (MS13-037) is a cumulative update for Internet Explorer. The second is a fix (MS13-038) specifically for a critical bug in IE 8 that miscreants and malware have been using to break into Windows computers. Other, slightly less severe holes were fixed in Microsoft Publisher, Word, Visio and Windows Essentials.

Last week, Microsoft released a stopgap “Fix-it” tool to help blunt the threat from the IE8 zero-day flaw. If you installed that interim fix, Microsoft recommends taking a moment to disable it before applying today’s patches.

<soapbox>On a side note..Dear Microsoft: Please stop asking people to install Silverlight every time they visit a Microsoft.com property. I realize that Silverlight is a Microsoft product, but it really is not needed to view information about security updates. In keeping with the principle of reducing the attack surface of an operating system, you should not be foisting additional software on visitors who are coming to you for information on how to fix bugs and vulnerabilities in Microsoft products that they already have installed. </soapbox>

Silverlight required? C'mon, Microsoft!

Silverlight required? C’mon, Microsoft!

As it usually does on Microsoft’s Patch Tuesday, Adobe used the occasion to push its own security updates. A new version of Flash (v. 11.7.700.202 for Mac and Windows systems) fixes 13 vulnerabilities.  IE 10 and Google Chrome automatically update themselves to fix Flash flaws. This link should tell you which version of Flash your browser has installed. If your version of Chrome is not yet updated to v. 11.7.700.202, you may need to just restart the browser.

Continue reading →


14
Jan 13

Microsoft Issues Fix for Zero-Day IE Flaw

Microsoft today deviated from its usual monthly patch cycle in issuing an emergency security update to fix a critical security hole in its Internet Explorer Web browser that attackers have been exploiting to break into Windows PCs.

IEwarningThe update, MS13-008, addresses a single vulnerability in IE versions 6 through 8, and is available through Windows Update. The patch comes a little more than two weeks after security firms began seeing evidence that hackers were leveraging the vulnerability in targeted attacks. Microsoft maintains that it has seen only a limited number of attacks against the flaw, but acknowledged in a blog post that “the potential exists that more customers could be affected.”

Prior to today, Microsoft released a stopgap Fix It tool to help blunt attacks against the IE flaw. According to Microsoft, “if you previously applied the Fix it offered through the advisory, you do not need to uninstall it before applying the security update released today. However, the Fix it is no longer needed after the security update is installed, so we are recommending that you uninstall it after you have applied the update to your system.” Users who applied the Fix It solution can uninstall it by clicking the Fix It icon under the words “Disable MSHTML shim workaround” at this page.


8
Jan 13

Adobe, Microsoft Ship Critical Security Updates

Adobe and Microsoft today separately issued updates to fix critical security vulnerabilities in their products. Adobe pushed out fixes for security issues in Acrobat, Adobe Reader and its Flash Player plugin. Microsoft released seven patches addressing at least a dozen security holes in Windows and other software, although it failed to issue an official patch for a dangerous flaw in its Internet Explorer Web browser that attackers are now actively exploiting.

Two of the patches that Microsoft issued today earned a “critical” rating, signifying that these vulnerabilities could be exploited to fully compromise vulnerable Windows systems without any help from users. Microsoft called special attention to two critical bugs in its XML Core Services component; the company said it is likely that malware or miscreants will figure out a way to exploit these flaws in active attacks sometime within the next 30 days.

Unfortunately, Microsoft did not offer an official fix for a critical Windows flaw that malware and miscreants are already exploiting. In late December, Microsoft acknowledged that attackers were using a previously undocumented security hole in Internet Explorer versions 6 through 8 to break into Windows PCs. Microsoft later issued a stopgap “FixIt” tool to help lessen the vulnerability on affected systems, but researchers last week demonstrated that the FixIt tool only blocked some methods of attacking the flaw, leaving other ways unguarded. Meanwhile, a working copy of the exploit has been folded into Metasploit, a free penetration testing tool.

Wolfgang Kandek, chief technology officer at vulnerability management firm Qualys, said the zero-day IE vulnerability affects 90% of the IE install base at this time.

“Microsoft is not providing a patch today, though they have provided a Fix-It for the issue,” Kandek wrote in a blog post. “The vulnerability should be tracked closely, as a large percentage of enterprises still run the affected versions.”

Users who wish to continue browsing the Web with IE should upgrade to IE9 if possible (IE10 on Windows 8 also is not vulnerable). Users still on Windows XP will not be able to update to IE9, but may be able to derive some protection from the FixIt tool and by using Microsoft’s EMET tool. XP users may be better off, however, browsing with Firefox or Chrome with some type of script blocking and/or sandbox in place. More information on how to use EMET and script blocking options is available in my Tools for a Safer PC primer. More details about today’s updates from Microsoft can be found at the Microsoft Security Response Center blog and in the security bulletin summaries for each patch.

The Adobe Flash patch fixes at least one critical vulnerability in the media player plugin. Updates are available for all supported versions of Flash, including for Windows, Mac, Linux and Android. See the chart below for the latest version number broken down by operating system.

Continue reading →


28
Dec 12

Attackers Target Internet Explorer Zero-Day Flaw

Attackers are breaking into Microsoft Windows computers using a newly discovered vulnerability in Internet Explorer, security experts warn. While the flaw appears to have been used mainly in targeted attacks so far, this vulnerability could become more widely exploited if incorporated into commercial crimeware kits sold in the underground.

IEwarningIn a blog posting Friday evening, Milpitas, Calif. based security vendor FireEye said it found that the Web site for the Council on Foreign Relations was compromised and rigged to exploit a previously undocumented flaw in IE8 to install malicious software on vulnerable PCs used to browse the site.

According to FireEye, the attack uses Adobe Flash to exploit a vulnerability in the latest (fully-patched) version of IE8. Dustin Childs, group manager for response communications at Microsoft, said the vulnerability appears to exist in previous versions of IE.

“We are actively investigating reports of a small, targeted issue affecting Internet Explorer 6-8,” Childs said in an emailed statement. “We will take appropriate action to help keep customers protected once our analysis is complete. People using Internet Explorer 9-10 are not impacted.”

As FireEye notes, this is another example of a “watering hole” attack, which involves the targeted compromise of legitimate websites thought to be of interest to or frequented by end users who belong to organizations that attackers wish to infiltrate. Earlier this year, I wrote about similar zero-day attacks against visitors to the Web sites of the National Democratic Institute, The Carter Center, and Radio Free Europe.

Update, Dec. 30, 9:25 a.m. ET: Microsoft has officially acknowledged this vulnerability in an advisory, which contains some advice for IE users about how to mitigate the threat. As IE versions 9 and 10 are not impacted, users running Windows Vista or higher can upgrade to the latest browser version here.

Update, Jan.1 8:56 p.m. ET: Microsoft’s advisory now includes a link to a stopgap “FixIt” solution that may help to blunt attacks until the company issues an official patch for this vulnerability.


19
Sep 12

Microsoft Issues Stopgap Fix for IE 0-Day Flaw

Microsoft today released a stopgap fix for a critical security flaw in most versions of Internet Explorer that hackers have been exploiting to break into Windows systems. The company said it expects to issue an official patch (MS12-063) for the vulnerability on Friday, Sept. 21.

The company released a “fix it” tool, available from this link, designed to blunt the threat of attack on this flaw for users of IE 7, 8 and 9. In a blog post, Microsoft’s Yunsun Wee said the one-click solution should not affect users’ ability to browse the Web, and it does not require the reboot of your computer. Users should not need to uninstall the fix to apply the full security patch when Microsoft releases it.

I’m glad to see Microsoft take this step. The company keeps downplaying the threat, stating that “there have been an extremely limited number of attacks,” against that this flaw and that “the vast majority of Internet Explorer users have not been impacted.” Nevertheless, as I noted in previous stories this week, a reliable exploit for this vulnerability has already been rolled into free, easy-to-use attack tools, so IE users should not delay in applying this fix-it tool.

For more information on how to harden IE against attacks, see Internet Explorer Users, Please Read This.


21
Jan 10

Microsoft Issues Emergency Fix for IE Flaw

Microsoft has issued an emergency security update to plug a critical hole in its Internet Explorer Web browser. The IE bug is the same flaw that is being blamed in part for fueling a spate of recent break-ins at Fortune 100 companies, including Google and Adobe.

If you use Microsoft Windows, please take a moment now to update your computer. Updates are available for all supported versions of IE and Windows.  The easiest way to install the patch is through Windows Update.  Users who have Automatic Updates turned on may be prompted to download and apply this within the next 48 hours or so, but honestly this is the kind of bug you probably want to quash as soon as possible.

The reason is that this is a browse-to-a-hostile-site-and-quickly-have-a-bad-day kind of flaw. What’s more, Symantec is now reporting that it has discovered hundreds of malicious and/or hacked Web sites are now serving up code that exploits this flaw to download malicious software. While many of these sites are in China, that fact matters little because hackers can always stitch code into a hacked, legitimate site that quietly and invisibly pulls down exploits from other sites. Meanwhile, security firm Websense warns that the targeted e-mail attacks leveraging this flaw continue unabated.

When computer code that exploits this IE flaw was first posted online last week, Microsoft was quick to point out that it had only seen the code working reliably against IE6 users. However, researchers now claim that the exploit can also be made to work against IE7 and even IE8 — the latest version of IE that ships with Windows 7 systems.

The fixes included in this patch aren’t limited to the publicly disclosed flaw: Microsoft has addressed seven other vulnerabilities in this patch as well. More details about this specific update are available at this Microsoft Technet page.