New IE Zero-Day Prompts More Calls to Ditch Windows XP

It has been a rough few days for Internet Explorer.

A vulnerability affecting IE versions 6 through 11 was reported over the weekend that allows an attacker to remotely execute code in the context of the user if the victim can be tricked into visiting a malicious website. The vulnerability was discovered being used in an attack campaign dubbed "Operation Clandestine Fox" by researchers at FireEye.

In the aftermath of the discovery, the CERT teams in the UK and the US have advised users to consider ditching the browser until Microsoft issues a patch. So far, Microsoft has not indicated when a fix will arrive.

According to an advisory from CERT-UK:

This vulnerability… affects Internet Explorer running on any version of the Windows Operating System although Microsoft has indicated that versions of Windows Server and Microsoft mail applications are protected to some degree. Its significance is likely to be that, even once patched, users of Windows XP will be at risk because on current plans no patch would be issued for that version of the Operating System following its end of life. As the first such vulnerability to appear, this one is likely to receive a greater than normal level of interest.

While IE versions 6 through 11 are vulnerable, the attack detected by FireEye appears to only be targeting versions 9, 10, and 11. But that is no small number of users. According to NetMarket Share, the market share for 9, 10, and 11 averaged more than 26 percent for 2013.

The good news is that, according to Microsoft, versions 10 and 11 mitigate the vulnerability by having "Enhanced Protected Mode" on by default. The issue is also mitigated via the Enhanced Mitigation Experience Toolkit (EMET) 4.1 and EMET 5.0.

The known exploit for this issue uses a Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) protections. If Flash Player is disabled or removed, the exploit will be blocked -- though the root cause of the issue will still remain.  

Says Pedro Bustamante, director of special projects at Malwarebytes:

Vulnerabilities such as this will be an increasing threat for all Internet users. The interim risk to people and businesses using IE 6 to 11, until Microsoft pushes out a patch, is troubling. But the more potentially severe issue is that anyone still using XP will be completely exposed as long as they continue to use the unsupported OS. For them there will never be a patch. This is worrying because it can put a significant amount of personal data at risk from highly stealthy attacks, including bank details and other private information.

This zero-day is likely the first of what will inevitably be multiple issues to affect Windows XP in the post-XP era, says Ross Barrett, senior manager of security engineering at Rapid7.

"Overall, this issue isn't all that different from any number of IE 0-days -- we usually get three or four every year -- except that it's the first in the post-XP world," says Barrett. "All the more reason for users to move to modern, supported operating systems where advanced mitigation techniques are available."