New IE Zero-Day Flaw Being Used In Targeted Attacks

Microsoft is warning today about a newly discovered and unpatched flaw in Internet Explorer 6 and 7 that's being exploited in the wild.

The zero-day vulnerability in IE 6 and IE 7 revealed in Security Advisory 981374 is an invalid pointer reference bug, which doesn't affect IE 8, according to Microsoft. IE 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, Internet Explorer 6, and Internet Explorer 7 all contain this bug and are susceptible to an attack, which can allow an attacker to remotely execute code.

So far there has been no patch from Microsoft: "We will continue to monitor the situation and take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-band security update, depending on customer needs," said Jerry Bryant, senior security communications manager lead for Microsoft, in a statement. "In the interim, it is recommended that customers using Internet Explorer 6 or 7 upgrade to Internet Explorer 8 immediately to benefit from the improved security features and defense in depth protections."

Andrew Storms, director of security operations for nCircle, says just how the bug was discovered is unclear. "Given the current level of silence about the advisory, the current thinking is that this new bug most likely came into Microsoft from a customer channel," Storm says. "As with all IE zero-day bugs, you can bet money that researchers are actively searching out ways to weaponize the attack vector."

This is the second time this year that Microsoft has warned of a new IE zero-day vulnerability.

Microsoft recommends running IE in Protected Mode, which would limit a successful attacker's rights on the victim system. And the lower the user right privileges, the safer the victim's machine will be -- machines configured with administrative rights would be most affected. Microsoft also recommends setting the Internet zone security level to "high."

The attack requires that the user visit a Website with malicious code that exploits the vulnerability. "...an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site," according to the Microsoft advisory.

"Like the IE zero-day bug from January that got a lot of press because of its involvement in the Aurora exploit that hit Google, this bug will get some mitigation assistance from ASLR and DEP. The good news is that at this time IE 8 is not affected," nCircle's Storms says. "There's no doubt that this new bug will be fodder for the ongoing security discussion that is a key part of the browser war."

The IE advisory was released in conjunction with Microsoft's monthly patch release today -- the software giant issued two patches that fix eight vulnerabilities in Windows and Microsoft Office. The MS10-016 patch addresses a flaw in Windows Movie Maker and Microsoft Producer 2003 that could allow remote code execution via a Movie Maker or Microsoft Producer project file. Another new bulletin, MS10-017, addresses vulnerabilities in Microsoft Excel. Microsoft also rereleased MS09-033 with the addition of Microsoft Virtual Server 2005 as one of the affected software products.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.