Attacks/Breaches
4/29/2014
05:50 PM
Connect Directly
RSS
E-Mail
50%
50%

New IE Zero-Day Prompts More Calls to Ditch Windows XP

Experts call for Windows XP users running IE to be mindful that they should upgrade to a new system supported by Microsoft.

It has been a rough few days for Internet Explorer.

A vulnerability affecting IE versions 6 through 11 was reported over the weekend that allows an attacker to remotely execute code in the context of the user if the victim can be tricked into visiting a malicious website. The vulnerability was discovered being used in an attack campaign dubbed "Operation Clandestine Fox" by researchers at FireEye.

In the aftermath of the discovery, the CERT teams in the UK and the US have advised users to consider ditching the browser until Microsoft issues a patch. So far, Microsoft has not indicated when a fix will arrive.

According to an advisory from CERT-UK:

This vulnerability… affects Internet Explorer running on any version of the Windows Operating System although Microsoft has indicated that versions of Windows Server and Microsoft mail applications are protected to some degree. Its significance is likely to be that, even once patched, users of Windows XP will be at risk because on current plans no patch would be issued for that version of the Operating System following its end of life. As the first such vulnerability to appear, this one is likely to receive a greater than normal level of interest.

While IE versions 6 through 11 are vulnerable, the attack detected by FireEye appears to only be targeting versions 9, 10, and 11. But that is no small number of users. According to NetMarket Share, the market share for 9, 10, and 11 averaged more than 26 percent for 2013.

The good news is that, according to Microsoft, versions 10 and 11 mitigate the vulnerability by having "Enhanced Protected Mode" on by default. The issue is also mitigated via the Enhanced Mitigation Experience Toolkit (EMET) 4.1 and EMET 5.0.

The known exploit for this issue uses a Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) protections. If Flash Player is disabled or removed, the exploit will be blocked -- though the root cause of the issue will still remain.  

Says Pedro Bustamante, director of special projects at Malwarebytes:

Vulnerabilities such as this will be an increasing threat for all Internet users. The interim risk to people and businesses using IE 6 to 11, until Microsoft pushes out a patch, is troubling. But the more potentially severe issue is that anyone still using XP will be completely exposed as long as they continue to use the unsupported OS. For them there will never be a patch. This is worrying because it can put a significant amount of personal data at risk from highly stealthy attacks, including bank details and other private information.

This zero-day is likely the first of what will inevitably be multiple issues to affect Windows XP in the post-XP era, says Ross Barrett, senior manager of security engineering at Rapid7.

"Overall, this issue isn't all that different from any number of IE 0-days -- we usually get three or four every year -- except that it's the first in the post-XP world," says Barrett. "All the more reason for users to move to modern, supported operating systems where advanced mitigation techniques are available."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
theb0x
50%
50%
theb0x,
User Rank: Moderator
4/30/2014 | 4:12:11 PM
Re: Protect Yourselves
The solution is quite simple. This IE exploit only affects user accounts with Administrative privileges.

In fact this has nothing to do with XP at all. Do not operate IE as an Administrator and you will be immune to this particular exploit.

However, a simple Metasploit attack vector can easily leverage to System privileges bypassing any security in place on an XP machine. That being said, XP = Instant PWN!

XP is broken. There is no way to harden IE or the OS itself.

.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
4/30/2014 | 3:45:19 PM
Re: Protect Yourselves
No problem, I understand completely.  Many organizations have web apps that will only work on older versions of IE.  One way to mitigate this shortcoming is to use a application virtualization technology such as Citrix to sandbox IE.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
4/30/2014 | 3:23:42 PM
Re: Protect Yourselves
Thanks - sadly, not everyone can dump IE.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
4/30/2014 | 3:18:32 PM
Re: Workaround
Yes, if you must use a version of IE older than 10 then yes, disabling Flash should provide you with protection from the vulnerability.
Robert McDougal
100%
0%
Robert McDougal,
User Rank: Ninja
4/30/2014 | 3:12:29 PM
Protect Yourselves
For anyone that must use IE to perform there daily work I highly recommend you enable Enable Enhanced Protected Mode (IE 10 and IE 11).  Otherwise my recommendation is to use another web browser until this bug is patched.  

This is taken directly from the advisory but it is important everyone is aware.

To enable EPM in Internet Explorer, perform the following steps:
  1. On the Internet Explorer Tools menu, click Internet Options.
  2. In the Internet Options dialog box, click the Advanced tab, and then scroll down to the Security section of the settings list.
  3. If you are running Internet Explorer 10, ensure the checkbox next to Enable Enhanced Protected Mode is selected.
  4. If you are running Internet Explorer 11, ensure the checkboxes next to Enable Enhanced Protected Mode and Enable 64-bit processes for Enhanced Protected Mode (for 64-bit systems) are selected.
  5. Click OK to accept the changes and return to Internet Explorer.
  6. Restart your system.

 

Microsoft Security Advisory 2963983
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
4/30/2014 | 3:05:56 PM
Workaround
If for some reason you had to use an older version of IE, would disabling Flash be helpful?
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.