Thursday, November 4, 2010

New 0-day flaw in IE 6, 7, and 8 not likely to be fixed

This hit the blogs and tech news sites yesterday.  In one of Microsoft's write-ups, they point out that running as a "Limited User" (an account that doesn't have administrator privileges) is one way to avoid this exploit.  Firefox and Chrome are also not subject to this problem.  The Symantec article has the best technical details.

Vulnerability in Internet Explorer Could Allow Remote Code Execution (CVE-2010-3962)

Microsoft has announced a vulnerability in all currently-supported versions of Internet Explorer (6 through 8) that could allow the execution of arbitrary code (advisory 2458511- http://blogs.technet.com/b/msrc/archive/2010/11/02/microsoft-releases-security-advisory-2458511.aspx.) This would likely be leveraged in a drive-by-exploit scenario. They state that DEP (Data Execution Prevention) and Protected Mode are mitigating factors.

Microsoft Warns of Attacks on Zero-Day IE Bug — Krebs on Security
Microsoft Corp. today warned Internet Explorer users that attackers are exploiting a previously unknown security hole in the browser to install malicious software. The company is urging users who haven’t already done so to upgrade to IE8, which includes technology that makes the vulnerability more difficult to exploit.
Microsoft warns of new IE zero-day attacks | ZDNet
Microsoft has raised an alarm for a new round of targeted malware attacks against a zero-day vulnerability in its dominant Internet Explorer browser.

The vulnerability affects all supported versions of Internet Explorer and can be exploited to launch remote code execution (drive by download) attacks, Microsoft said in an advisory.
Microsoft Security Advisory (2458511): Vulnerability in Internet Explorer Could Allow Remote Code Execution
Microsoft is investigating new, public reports of a vulnerability in all supported versions of Internet Explorer. The main impact of the vulnerability is remote code execution. This advisory contains workarounds and mitigations for this issue.

The vulnerability exists due to an invalid flag reference within Internet Explorer. It is possible under certain conditions for the invalid flag reference to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

At this time, we are aware of targeted attacks attempting to use this vulnerability. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
Microsoft Releases Security Advisory 2458511 - The Microsoft Security Response Center (MSRC) - Site Home - TechNet Blogs
Today we released Security Advisory 2458511 to address a new vulnerability that could impact Internet Explorer users if they visit a website hosting malicious code. As of now, the impact of this vulnerability is extremely limited and we are not aware of any affected customers. The exploit code was discovered on a single website which is no longer hosting the malicious code. ... The Security Advisory also details a workaround that customers can apply that will protect all affected versions of IE from this issue. We are working to put have a Microsoft Fix it in place for easy implementation of the workaround. Our Security Research & Defense team has also provided a detailed write up on how the workaround protects against the vulnerability.
New IE Zero-Day used in Targeted Attacks | Symantec Connect
One such case started few days ago when we received information about a possible exploitation using older versions of Internet Explorer as targets. Hackers had sent emails to a select group of individuals within targeted organizations. Within the email, the perpetrators added a link to a specific page hosted on an otherwise legitimate website. The hackers had gotten access to the website account and uploaded content without the owners knowing. Here is what the email looked like:

No comments: