Attacks/Breaches
4/29/2014
05:50 PM
Connect Directly
RSS
E-Mail
50%
50%

New IE Zero-Day Prompts More Calls to Ditch Windows XP

Experts call for Windows XP users running IE to be mindful that they should upgrade to a new system supported by Microsoft.

It has been a rough few days for Internet Explorer.

A vulnerability affecting IE versions 6 through 11 was reported over the weekend that allows an attacker to remotely execute code in the context of the user if the victim can be tricked into visiting a malicious website. The vulnerability was discovered being used in an attack campaign dubbed "Operation Clandestine Fox" by researchers at FireEye.

In the aftermath of the discovery, the CERT teams in the UK and the US have advised users to consider ditching the browser until Microsoft issues a patch. So far, Microsoft has not indicated when a fix will arrive.

According to an advisory from CERT-UK:

This vulnerability… affects Internet Explorer running on any version of the Windows Operating System although Microsoft has indicated that versions of Windows Server and Microsoft mail applications are protected to some degree. Its significance is likely to be that, even once patched, users of Windows XP will be at risk because on current plans no patch would be issued for that version of the Operating System following its end of life. As the first such vulnerability to appear, this one is likely to receive a greater than normal level of interest.

While IE versions 6 through 11 are vulnerable, the attack detected by FireEye appears to only be targeting versions 9, 10, and 11. But that is no small number of users. According to NetMarket Share, the market share for 9, 10, and 11 averaged more than 26 percent for 2013.

The good news is that, according to Microsoft, versions 10 and 11 mitigate the vulnerability by having "Enhanced Protected Mode" on by default. The issue is also mitigated via the Enhanced Mitigation Experience Toolkit (EMET) 4.1 and EMET 5.0.

The known exploit for this issue uses a Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) protections. If Flash Player is disabled or removed, the exploit will be blocked -- though the root cause of the issue will still remain.  

Says Pedro Bustamante, director of special projects at Malwarebytes:

Vulnerabilities such as this will be an increasing threat for all Internet users. The interim risk to people and businesses using IE 6 to 11, until Microsoft pushes out a patch, is troubling. But the more potentially severe issue is that anyone still using XP will be completely exposed as long as they continue to use the unsupported OS. For them there will never be a patch. This is worrying because it can put a significant amount of personal data at risk from highly stealthy attacks, including bank details and other private information.

This zero-day is likely the first of what will inevitably be multiple issues to affect Windows XP in the post-XP era, says Ross Barrett, senior manager of security engineering at Rapid7.

"Overall, this issue isn't all that different from any number of IE 0-days -- we usually get three or four every year -- except that it's the first in the post-XP world," says Barrett. "All the more reason for users to move to modern, supported operating systems where advanced mitigation techniques are available."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
theb0x
50%
50%
theb0x,
User Rank: Moderator
4/30/2014 | 4:12:11 PM
Re: Protect Yourselves
The solution is quite simple. This IE exploit only affects user accounts with Administrative privileges.

In fact this has nothing to do with XP at all. Do not operate IE as an Administrator and you will be immune to this particular exploit.

However, a simple Metasploit attack vector can easily leverage to System privileges bypassing any security in place on an XP machine. That being said, XP = Instant PWN!

XP is broken. There is no way to harden IE or the OS itself.

.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
4/30/2014 | 3:45:19 PM
Re: Protect Yourselves
No problem, I understand completely.  Many organizations have web apps that will only work on older versions of IE.  One way to mitigate this shortcoming is to use a application virtualization technology such as Citrix to sandbox IE.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
4/30/2014 | 3:23:42 PM
Re: Protect Yourselves
Thanks - sadly, not everyone can dump IE.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
4/30/2014 | 3:18:32 PM
Re: Workaround
Yes, if you must use a version of IE older than 10 then yes, disabling Flash should provide you with protection from the vulnerability.
Robert McDougal
100%
0%
Robert McDougal,
User Rank: Ninja
4/30/2014 | 3:12:29 PM
Protect Yourselves
For anyone that must use IE to perform there daily work I highly recommend you enable Enable Enhanced Protected Mode (IE 10 and IE 11).  Otherwise my recommendation is to use another web browser until this bug is patched.  

This is taken directly from the advisory but it is important everyone is aware.

To enable EPM in Internet Explorer, perform the following steps:
  1. On the Internet Explorer Tools menu, click Internet Options.
  2. In the Internet Options dialog box, click the Advanced tab, and then scroll down to the Security section of the settings list.
  3. If you are running Internet Explorer 10, ensure the checkbox next to Enable Enhanced Protected Mode is selected.
  4. If you are running Internet Explorer 11, ensure the checkboxes next to Enable Enhanced Protected Mode and Enable 64-bit processes for Enhanced Protected Mode (for 64-bit systems) are selected.
  5. Click OK to accept the changes and return to Internet Explorer.
  6. Restart your system.

 

Microsoft Security Advisory 2963983
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
4/30/2014 | 3:05:56 PM
Workaround
If for some reason you had to use an older version of IE, would disabling Flash be helpful?
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3562
Published: 2014-08-21
Red Hat Directory Server 8 and 389 Directory Server, when debugging is enabled, allows remote attackers to obtain sensitive replicated metadata by searching the directory.

CVE-2014-3577
Published: 2014-08-21
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-...

CVE-2014-5158
Published: 2014-08-21
The (1) av-centerd SOAP service and (2) backup command in the ossim-framework service in AlienVault OSSIM before 4.6.0 allows remote attackers to execute arbitrary commands via unspecified vectors.

CVE-2014-5159
Published: 2014-08-21
SQL injection vulnerability in the ossim-framework service in AlienVault OSSIM before 4.6.0 allows remote attackers to execute arbitrary SQL commands via the ws_data parameter.

CVE-2014-5210
Published: 2014-08-21
The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) remote_task or (2) get_license request, a different vulnerability than CVE-2014-3804 and CVE-2014-3805.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.