Attacks/Breaches
4/29/2014
05:50 PM
50%
50%

New IE Zero-Day Prompts More Calls to Ditch Windows XP

Experts call for Windows XP users running IE to be mindful that they should upgrade to a new system supported by Microsoft.

It has been a rough few days for Internet Explorer.

A vulnerability affecting IE versions 6 through 11 was reported over the weekend that allows an attacker to remotely execute code in the context of the user if the victim can be tricked into visiting a malicious website. The vulnerability was discovered being used in an attack campaign dubbed "Operation Clandestine Fox" by researchers at FireEye.

In the aftermath of the discovery, the CERT teams in the UK and the US have advised users to consider ditching the browser until Microsoft issues a patch. So far, Microsoft has not indicated when a fix will arrive.

According to an advisory from CERT-UK:

This vulnerability… affects Internet Explorer running on any version of the Windows Operating System although Microsoft has indicated that versions of Windows Server and Microsoft mail applications are protected to some degree. Its significance is likely to be that, even once patched, users of Windows XP will be at risk because on current plans no patch would be issued for that version of the Operating System following its end of life. As the first such vulnerability to appear, this one is likely to receive a greater than normal level of interest.

While IE versions 6 through 11 are vulnerable, the attack detected by FireEye appears to only be targeting versions 9, 10, and 11. But that is no small number of users. According to NetMarket Share, the market share for 9, 10, and 11 averaged more than 26 percent for 2013.

The good news is that, according to Microsoft, versions 10 and 11 mitigate the vulnerability by having "Enhanced Protected Mode" on by default. The issue is also mitigated via the Enhanced Mitigation Experience Toolkit (EMET) 4.1 and EMET 5.0.

The known exploit for this issue uses a Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) protections. If Flash Player is disabled or removed, the exploit will be blocked -- though the root cause of the issue will still remain.  

Says Pedro Bustamante, director of special projects at Malwarebytes:

Vulnerabilities such as this will be an increasing threat for all Internet users. The interim risk to people and businesses using IE 6 to 11, until Microsoft pushes out a patch, is troubling. But the more potentially severe issue is that anyone still using XP will be completely exposed as long as they continue to use the unsupported OS. For them there will never be a patch. This is worrying because it can put a significant amount of personal data at risk from highly stealthy attacks, including bank details and other private information.

This zero-day is likely the first of what will inevitably be multiple issues to affect Windows XP in the post-XP era, says Ross Barrett, senior manager of security engineering at Rapid7.

"Overall, this issue isn't all that different from any number of IE 0-days -- we usually get three or four every year -- except that it's the first in the post-XP world," says Barrett. "All the more reason for users to move to modern, supported operating systems where advanced mitigation techniques are available."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
theb0x
50%
50%
theb0x,
User Rank: Moderator
4/30/2014 | 4:12:11 PM
Re: Protect Yourselves
The solution is quite simple. This IE exploit only affects user accounts with Administrative privileges.

In fact this has nothing to do with XP at all. Do not operate IE as an Administrator and you will be immune to this particular exploit.

However, a simple Metasploit attack vector can easily leverage to System privileges bypassing any security in place on an XP machine. That being said, XP = Instant PWN!

XP is broken. There is no way to harden IE or the OS itself.

.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
4/30/2014 | 3:45:19 PM
Re: Protect Yourselves
No problem, I understand completely.  Many organizations have web apps that will only work on older versions of IE.  One way to mitigate this shortcoming is to use a application virtualization technology such as Citrix to sandbox IE.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
4/30/2014 | 3:23:42 PM
Re: Protect Yourselves
Thanks - sadly, not everyone can dump IE.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
4/30/2014 | 3:18:32 PM
Re: Workaround
Yes, if you must use a version of IE older than 10 then yes, disabling Flash should provide you with protection from the vulnerability.
Robert McDougal
100%
0%
Robert McDougal,
User Rank: Ninja
4/30/2014 | 3:12:29 PM
Protect Yourselves
For anyone that must use IE to perform there daily work I highly recommend you enable Enable Enhanced Protected Mode (IE 10 and IE 11).  Otherwise my recommendation is to use another web browser until this bug is patched.  

This is taken directly from the advisory but it is important everyone is aware.

To enable EPM in Internet Explorer, perform the following steps:
  1. On the Internet Explorer Tools menu, click Internet Options.
  2. In the Internet Options dialog box, click the Advanced tab, and then scroll down to the Security section of the settings list.
  3. If you are running Internet Explorer 10, ensure the checkbox next to Enable Enhanced Protected Mode is selected.
  4. If you are running Internet Explorer 11, ensure the checkboxes next to Enable Enhanced Protected Mode and Enable 64-bit processes for Enhanced Protected Mode (for 64-bit systems) are selected.
  5. Click OK to accept the changes and return to Internet Explorer.
  6. Restart your system.

 

Microsoft Security Advisory 2963983
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
4/30/2014 | 3:05:56 PM
Workaround
If for some reason you had to use an older version of IE, would disabling Flash be helpful?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8802
Published: 2015-01-23
The Pie Register plugin before 2.0.14 for WordPress does not properly restrict access to certain functions in pie-register.php, which allows remote attackers to (1) add a user by uploading a crafted CSV file or (2) activate a user account via a verifyit action.

CVE-2014-9623
Published: 2015-01-23
OpenStack Glance 2014.2.x through 2014.2.1, 2014.1.3, and earlier allows remote authenticated users to bypass the storage quote and cause a denial of service (disk consumption) by deleting an image in the saving state.

CVE-2014-9638
Published: 2015-01-23
oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a WAV file with the number of channels set to zero.

CVE-2014-9639
Published: 2015-01-23
Integer overflow in oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (crash) via a crafted number of channels in a WAV file, which triggers an out-of-bounds memory access.

CVE-2014-9640
Published: 2015-01-23
oggenc/oggenc.c in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted raw file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.