A working exploit that takes advantage of a previously unknown critical security hole in Internet Explorer has been published online. Experts say the vulnerability is being actively exploited in the wild, and that it appears to be connected to the same group of Chinese hackers responsible for unleashing a pair of Java zero-day exploits late last month.
Researchers at security vulnerability testing firm Rapid7 have added a new module to the company’s free Metasploit framework that allows users to successfully attack the vulnerability on Internet Explorer versions 7, 8 and 9 on Windows XP, Vista and 7.
“Computers can get compromised simply by visiting a malicious website, which gives the attacker the same privileges as the current user,” Rapid7 researcher “sinn3r” wrote on the firm’s blog. “Since Microsoft has not released a patch for this vulnerability yet, Internet users are strongly advised to switch to other browsers, such as Chrome or Firefox, until a security update becomes available. The exploit had already been used by malicious attackers in the wild before it was published in Metasploit. The associated vulnerability puts about 41% of Internet users in North America and 32% world-wide at risk.”
News of the IE exploit surfaced at the blog of security researcher and blogger Eric Romang, who said he discovered the attack code while examining a Web server recently used by Chinese hackers to launch targeted attacks via zero-day Java vulnerabilities that were patched by Oracle last month. Romang and other experts have connected the sites serving those Java exploits to the Nitro attacks of 2011, espionage attacks directed against at least 48 chemical and defense companies.
I pinged Microsoft for a comment but have not yet heard back from them. I suspect they are preparing an advisory about this threat, and will update this post when I receive a response. Until an official fix is available, IE users would be wise to surf with another browser.
I only use IE for updating Windows monthly (or when an out-of-cycle patch is released) and a very few sites that require the ^&*%! thing because of ActiveX, so I’ll certainly avoid its use until a patch or FixIt workaround is offered and stick with my usual FF for browsing. As usual, Brian, thanks for the heads-up!
Is IE10 affected?
No
Is this the same exploit mentioned at http://nakedsecurity.sophos.com/2012/09/17/new-ie-zero-day-exploit-poison-ivy/?
Yes, that is the same 0day.
The Register had a funny line in their subtag for their article on this, referring to IE:
“It’s more like an exploit than a browser…”
Another line I just read… “IE stands for Is_Exploitable…”
Microsoft Security Advisory (2757760) has been posted for this vulnerability. Win 8 and IE-10 are reportedly not affected.
Thanks for mention and as always for your fantastics news !
What do you think of EMET as a mitigation for this exploit?
I don’t want to speak for Brian here, but the Microsoft advisory (http://technet.microsoft.com/en-us/security/advisory/2757760) does recommend using it. That advisory, though, does mention a limit to it’s effectiveness, saying that it merely “makes the vulnerability harder to exploit”, not that it outright stops it cold.
The advisory also says that EMET should not be necessary if running MS Server 2003 or later.
Thanks Brian for the heads up!
I feel microsoft should give up on IE. I will agree with the register its exploit more than a browser.
I don’t really understand why you need these extra tools. This exploit is caught by both Symantec Enpoint Protection and also the freely available Microsoft Security Essentials. What am I missing here?
Because the crackers will not stop doing their homework; just because this particular exploit is detectable now, does not mean the same vulnerability cannot be attacked using different code that is not detectable because of zero day release. Most AV/AM will catch-up in two or three days, but by then the malware will be updated to a new undetectable version.
Malware are becoming increasingly impossible to detect using the usual methods, and malware that is entrenched is become more and more difficult to remove.
Wow that was unusual. I just wrote an extremely long comment but after I clicked
submit my comment didn’t appear. Grrrr… well I’m
not writing all that over again. Regardless, just wanted to say wonderful blog!
Brian, did you ever hear back from Microsoft?
I’ve been researching the concept of Active Directory Privilege Escalation and while its not prone to zero-day vulnerablities, it does provide an easy way to get into and take over an organization’s systems.
If you’re into privilege escalation based avenues to system compromise, feel free to stop by.