Attacks/Breaches
4/29/2014
05:50 PM
50%
50%

New IE Zero-Day Prompts More Calls to Ditch Windows XP

Experts call for Windows XP users running IE to be mindful that they should upgrade to a new system supported by Microsoft.

It has been a rough few days for Internet Explorer.

A vulnerability affecting IE versions 6 through 11 was reported over the weekend that allows an attacker to remotely execute code in the context of the user if the victim can be tricked into visiting a malicious website. The vulnerability was discovered being used in an attack campaign dubbed "Operation Clandestine Fox" by researchers at FireEye.

In the aftermath of the discovery, the CERT teams in the UK and the US have advised users to consider ditching the browser until Microsoft issues a patch. So far, Microsoft has not indicated when a fix will arrive.

According to an advisory from CERT-UK:

This vulnerability… affects Internet Explorer running on any version of the Windows Operating System although Microsoft has indicated that versions of Windows Server and Microsoft mail applications are protected to some degree. Its significance is likely to be that, even once patched, users of Windows XP will be at risk because on current plans no patch would be issued for that version of the Operating System following its end of life. As the first such vulnerability to appear, this one is likely to receive a greater than normal level of interest.

While IE versions 6 through 11 are vulnerable, the attack detected by FireEye appears to only be targeting versions 9, 10, and 11. But that is no small number of users. According to NetMarket Share, the market share for 9, 10, and 11 averaged more than 26 percent for 2013.

The good news is that, according to Microsoft, versions 10 and 11 mitigate the vulnerability by having "Enhanced Protected Mode" on by default. The issue is also mitigated via the Enhanced Mitigation Experience Toolkit (EMET) 4.1 and EMET 5.0.

The known exploit for this issue uses a Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) protections. If Flash Player is disabled or removed, the exploit will be blocked -- though the root cause of the issue will still remain.  

Says Pedro Bustamante, director of special projects at Malwarebytes:

Vulnerabilities such as this will be an increasing threat for all Internet users. The interim risk to people and businesses using IE 6 to 11, until Microsoft pushes out a patch, is troubling. But the more potentially severe issue is that anyone still using XP will be completely exposed as long as they continue to use the unsupported OS. For them there will never be a patch. This is worrying because it can put a significant amount of personal data at risk from highly stealthy attacks, including bank details and other private information.

This zero-day is likely the first of what will inevitably be multiple issues to affect Windows XP in the post-XP era, says Ross Barrett, senior manager of security engineering at Rapid7.

"Overall, this issue isn't all that different from any number of IE 0-days -- we usually get three or four every year -- except that it's the first in the post-XP world," says Barrett. "All the more reason for users to move to modern, supported operating systems where advanced mitigation techniques are available."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
theb0x
50%
50%
theb0x,
User Rank: Moderator
4/30/2014 | 4:12:11 PM
Re: Protect Yourselves
The solution is quite simple. This IE exploit only affects user accounts with Administrative privileges.

In fact this has nothing to do with XP at all. Do not operate IE as an Administrator and you will be immune to this particular exploit.

However, a simple Metasploit attack vector can easily leverage to System privileges bypassing any security in place on an XP machine. That being said, XP = Instant PWN!

XP is broken. There is no way to harden IE or the OS itself.

.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
4/30/2014 | 3:45:19 PM
Re: Protect Yourselves
No problem, I understand completely.  Many organizations have web apps that will only work on older versions of IE.  One way to mitigate this shortcoming is to use a application virtualization technology such as Citrix to sandbox IE.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
4/30/2014 | 3:23:42 PM
Re: Protect Yourselves
Thanks - sadly, not everyone can dump IE.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
4/30/2014 | 3:18:32 PM
Re: Workaround
Yes, if you must use a version of IE older than 10 then yes, disabling Flash should provide you with protection from the vulnerability.
Robert McDougal
100%
0%
Robert McDougal,
User Rank: Ninja
4/30/2014 | 3:12:29 PM
Protect Yourselves
For anyone that must use IE to perform there daily work I highly recommend you enable Enable Enhanced Protected Mode (IE 10 and IE 11).  Otherwise my recommendation is to use another web browser until this bug is patched.  

This is taken directly from the advisory but it is important everyone is aware.

To enable EPM in Internet Explorer, perform the following steps:
  1. On the Internet Explorer Tools menu, click Internet Options.
  2. In the Internet Options dialog box, click the Advanced tab, and then scroll down to the Security section of the settings list.
  3. If you are running Internet Explorer 10, ensure the checkbox next to Enable Enhanced Protected Mode is selected.
  4. If you are running Internet Explorer 11, ensure the checkboxes next to Enable Enhanced Protected Mode and Enable 64-bit processes for Enhanced Protected Mode (for 64-bit systems) are selected.
  5. Click OK to accept the changes and return to Internet Explorer.
  6. Restart your system.

 

Microsoft Security Advisory 2963983
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
4/30/2014 | 3:05:56 PM
Workaround
If for some reason you had to use an older version of IE, would disabling Flash be helpful?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-7839
Published: 2014-11-25
DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors.

CVE-2014-8001
Published: 2014-11-25
Buffer overflow in decode.cpp in Cisco OpenH264 1.2.0 and earlier allows remote attackers to execute arbitrary code via an encoded media file.

CVE-2014-8002
Published: 2014-11-25
Use-after-free vulnerability in decode_slice.cpp in Cisco OpenH264 1.2.0 and earlier allows remote attackers to execute arbitrary code via an encoded media file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?