September 17, 2012

A working exploit that takes advantage of a previously unknown critical security hole in Internet Explorer has been published online. Experts say the vulnerability is being actively exploited in the wild, and that it appears to be connected to the same group of Chinese hackers responsible for unleashing a pair of Java zero-day exploits late last month.

Researchers at security vulnerability testing firm Rapid7 have added a new module to the company’s free Metasploit framework that allows users to successfully attack the vulnerability on Internet Explorer versions 7, 8 and 9 on Windows XP, Vista and 7.

“Computers can get compromised simply by visiting a malicious website, which gives the attacker the same privileges as the current user,” Rapid7 researcher “sinn3r” wrote on the firm’s blog. “Since Microsoft has not released a patch for this vulnerability yet, Internet users are strongly advised to switch to other browsers, such as Chrome or Firefox, until a security update becomes available. The exploit had already been used by malicious attackers in the wild before it was published in Metasploit. The associated vulnerability puts about 41% of Internet users in North America and 32% world-wide at risk.”

News of the IE exploit surfaced at the blog of security researcher and blogger Eric Romang, who said he discovered the attack code while examining a Web server recently used by Chinese hackers to launch targeted attacks via zero-day Java vulnerabilities that were patched by Oracle last month. Romang and other experts have connected the sites serving those Java exploits to the Nitro attacks of 2011, espionage attacks directed against at least 48 chemical and defense companies.

I pinged Microsoft for a comment but have not yet heard back from them. I suspect they are preparing an advisory about this threat, and will update this post when I receive a response. Until an official fix is available, IE users would be wise to surf with another browser.


18 thoughts on “Exploit Released for Zero-Day in Internet Explorer

  1. JimV

    I only use IE for updating Windows monthly (or when an out-of-cycle patch is released) and a very few sites that require the ^&*%! thing because of ActiveX, so I’ll certainly avoid its use until a patch or FixIt workaround is offered and stick with my usual FF for browsing. As usual, Brian, thanks for the heads-up!

  2. Richard Steven Hack

    The Register had a funny line in their subtag for their article on this, referring to IE:

    “It’s more like an exploit than a browser…”

  3. Reid

    Microsoft Security Advisory (2757760) has been posted for this vulnerability. Win 8 and IE-10 are reportedly not affected.

  4. Christoph

    What do you think of EMET as a mitigation for this exploit?

      1. Shinki-itten

        The advisory also says that EMET should not be necessary if running MS Server 2003 or later.

  5. Jim Williams

    I don’t really understand why you need these extra tools. This exploit is caught by both Symantec Enpoint Protection and also the freely available Microsoft Security Essentials. What am I missing here?

    1. JCitizen

      Because the crackers will not stop doing their homework; just because this particular exploit is detectable now, does not mean the same vulnerability cannot be attacked using different code that is not detectable because of zero day release. Most AV/AM will catch-up in two or three days, but by then the malware will be updated to a new undetectable version.

      Malware are becoming increasingly impossible to detect using the usual methods, and malware that is entrenched is become more and more difficult to remove.

  6. download firefox

    Wow that was unusual. I just wrote an extremely long comment but after I clicked
    submit my comment didn’t appear. Grrrr… well I’m
    not writing all that over again. Regardless, just wanted to say wonderful blog!

  7. Nik

    Brian, did you ever hear back from Microsoft?

    I’ve been researching the concept of Active Directory Privilege Escalation and while its not prone to zero-day vulnerablities, it does provide an easy way to get into and take over an organization’s systems.

    If you’re into privilege escalation based avenues to system compromise, feel free to stop by.

Comments are closed.