Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Microsoft: Beware IE Zero-Day Attacks

Microsoft offers temporary fix for security flaw in most versions of Internet Explorer, but doesn't yet have a patch to stop attackers from remotely executing code.

20 Great Ideas To Steal In 2013
20 Great Ideas To Steal In 2013
(click image for larger view)
Internet Explorer users, watch where you browse.

Microsoft issued that warning Tuesday after spotting some in-the-wild attacks targeting a new bug in IE. "There are only reports of a limited number of targeted attacks specifically directed at Internet Explorer 8 and 9, although the issue could potentially affect all supported versions" -- meaning also Internet Explorer versions 6, 7, 10 and 11 -- said Dustin Childs, a group manager for communications in Microsoft's Trustworthy Computing group, in a blog post.

"We are actively working to develop a security update to address this issue," Childs said, though he provided no timeline for when that might happen.

[ Could crowdsourcing help in instances like this? Read HP Portal Crowdsources Security Threat Intelligence. ]

According to Microsoft security engineer Neil Sikka, the IE bug (CVE-2013-3893) that attackers have been exploiting enables them to bypass the address space layout randomization (ASLR) attack-blocking feature built into newer versions of IE, and gain the ability to remotely execute code. "The exploit was attacking a 'use after free' vulnerability in IE's HTML rendering engine (mshtml.dll) and was implemented entirely in JavaScript -- no dependencies on Java, Flash etc. -- but did depend on a Microsoft Office DLL, which was not compiled with ASLR enabled," Sikka said in a blog post.

Microsoft's related security advisory said the most likely mode of exploitation would be for attackers to host malicious websites or else submit "specially crafted content that could exploit this vulnerability" to third-party- sites that accept "user-provided content or advertisements." Accordingly, Microsoft said to beware of any links of unknown origin that might arrive via email, instant messaging or social networks, since they might lead to a site designed to exploit the vulnerability.

Related attacks, if successful, would give attackers' code "the same user rights as the current user," meaning they might be able to "install programs; view, change, or delete data; or create new accounts with full user rights." Accordingly, attackers might be able to do less damage against non-administrator or relatively locked-down user accounts.

Not all types of IE are at risk from exploits of this bug. According to Microsoft's security advisory, by default, Internet Explorer on Windows Server 2003, 2008, 2008 R2, 2012, and 2012 R2 runs in a restricted mode, known as "enhanced security configuration," which mitigates the vulnerability. Likewise, by default all "supported" versions of Microsoft Outlook, Microsoft Outlook Express and Windows Mail open any received HTML in a restricted zone, which would also mitigate the vulnerability.

How can businesses protect themselves? Microsoft has released a temporary "fix it" solution for 32-bit versions of Internet Explorer that it's calling the MSHTML Shim Workaround. "This Fix it solution is not intended to be a replacement for any security update. We recommend that you always install the latest security updates," according to Microsoft's security advisory. "However, we offer this Fix it solution as a workaround option for some scenarios," such as the current one, in which Microsoft has yet to patch the flaw that's being exploited. For this workaround to work, however, a PC must first have installed a cumulative security update for IE released on Sept. 10 by Microsoft.

Microsoft's Sikka said that the company's Enhanced Mitigation Experience Toolkit (EMET) -- version 3.0 or 4.0 -- can also be used to help prevent related exploits from being successful. This approach, notably, will work not only with 32-bit but also 64-bit versions of IE.

Tuesday's Fix It release was the first time in four months that Microsoft has had to release an emergency workaround for a flaw that's being actively exploited by attackers, said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post.

But are the EMET or Fix It mitigation strategies worth the effort? For business users, the answer is yes, said Wisniewski. But consumers might spare themselves the hassle, and instead adopt a simpler -- perhaps temporary, perhaps not -- fix. "My advice for non-corporate PCs is to simply use another browser until Microsoft is able to deliver a fix," he said.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
9/19/2013 | 3:17:00 PM
re: Microsoft: Beware IE Zero-Day Attacks
Unfortunately, updating Office won't help. The bug exists in an Office DLL that's in IE. Ironically, Microsoft in 2011 issued a report warning that only 20% of tested products -- including Microsoft software -- fully implemented ASLR. If Microsoft had followed its own advice, related attacks against this bug wouldn't have been possible.

Instead, Websense -- which studied real-world IE usage patterns -- said Wednesday that up to 70% of enterprise users are now at risk of being exploited by attacks that target this vulnerability.
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
9/18/2013 | 4:29:53 PM
re: Microsoft: Beware IE Zero-Day Attacks
If the flaw was in an Office module, why aren't they telling people to update Office as well?
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...