We know it sounds like a broken record: A new security vulnerability has been found in Microsoft Internet Explorer that can enable attackers to take over a computer, collect personal data, run any software they like, yada yada yada. However, this one comes with a bit of a twist: The vulnerability is being actively exploited in the wild, and was apparently produced by the same group of Chinese attackers who launched targeted attacks using the critical Java vulnerabilities Oracle patched last month. All it takes to take over a vulnerable system is visiting a maliciously-crafted Web site.
More bad news: The bug effects Internet Explorer 7, 8, and 9 on Windows XP, Windows Vista, and Windows 7, meaning millions of people are potentially vulnerable. Even more bad news: Microsoft has not yet issued a patch, and security companies (and even governments) are recommending users stop using Internet Explorer and switch to another browser — at least into the exploit is patched.
There is some good news: IE users can protect themselves in the meantime by installing Microsoft’s Enhanced Mitigation Experience Toolkit — but that may not be a slam dunk.
What’s the problem?
The exploit was first uncovered and publicized by Luxembourg-based security researcher Eric Romang, who found it on a server used by Chinese malware developers. The Metasploit team and Romang quickly verified the vulnerability and added it to their open source vulnerability testing framework. Normally security researchers quietly report vulnerabilities to appropriate companies and only release details when a patch becomes available. However, in this case the exploit was discovered out and around on the Internet, so going public seemed like the fastest way to help protect people.
There are indications this exploit was developed by the the same group that developed, the so-called “Nitro” attacks of 2011, which appear to have been industrial espionage efforts targeting defense and chemical companies. The new zero-day exploit seems to be along the same lines. AlienVault manager Jaime Blasco has uncovered evidence sites carrying the new IE vulnerability may be targeting defense contractors.
The attack itself can be placed in any Web page. It loads an Adobe Flash file that performs a “heap spray” (basically, seeding code throughout memory used by Internet Explorer) to load an iframe which, in turn, downloads the malware executable. This executable enables attackers to monitor remote computers and steal data. It’s important to note that while the current attack uses Adobe Flash, this particular vulnerability itself is not in Flash, but Internet Explorer.
The team that developed the zero-day exploit was apparently not very happy to be outed by Romang: The attack disappeared from the server where Romang found it over the weekend.
By Monday, Microsoft had issued a security advisory on the vulnerability.
Internet Explorer 7, 8, and 9 are running under Windows XP, Windows Vista, and Windows 7 are all vulnerable to the attack. Right now, the exploit appears to only be used to target specific industries — probably at the business end of a “spearphishing” campaign. Microsoft’s Director of Trustworthy Computing Yunsun Wee claims an “extremely limited number of people” have been impacted by the problem.
Nonetheless, there’s absolutely no telling how long this exploit has been used in the wild — it could easily pre-date things like the recent Java exploits. The number of potentially vulnerable users is gigantic: Security firm Rapid7 estimated as many as 41 percent of North American Internet users are vulnerable to the exploit. As with last month’s Java vulnerabilities, there’s always the possibility this exploit will make it into frameworks and toolkits used by a much wider group of malware authors and hackers. If that happens, the attack could suddenly be targeting millions of people.
What to do?
Microsoft’s Yunsun Wee says a fix will be available from Microsoft “within the next few days.” Users will be able to patch Internet Explorer with a one-click installation, and Microsoft claims the patch won’t impact users’ Web browsing, or even require users reboot their computers.
In the meantime, Microsoft has recommended users install the Enhanced Mitigation Experience Toolkit (EMET), a collection of tools and utilities that adds security layers and defenses to older versions of Windows and hardens more recent versions of Windows against known exploits.
EMET is separate from Microsoft’s product-related security updates. The idea is to offer patches, lockdowns, and mitigation techniques that aren’t tied to any particular product on a schedule that also not tied to any particular product. EMET can’t really protect against new exploits, but can help protect Windows users against known exploits and variants on known exploits. It has to be separately downloaded, installed, and then manually configured to protect against this particular threat.
Microsoft also recommends Internet Explorer users set their Internet and local intranet security zone settings to “High” to prevent ActiveX and Active Scripting components from loading from sites in those zones. This will protect users against the attack, but it’s also pretty likely to impact Web usability. If sites have problems, users will have to add sites they trust to IE’s Trusted Sites zone to get them to work — and once a site gets added to that list, most users never remember to remove it again once a patch is available.
So what about another browser?
Of course, another way to avoid this zero-day vulnerability is simply not to use Internet Explorer. It’s worth noting that none of the other mainstream Web browsers available for Windows — including Chrome, Firefox, Opera, and Safari — are vulnerable to this exploit. In fact, many security experts are recommending Internet Explorer users switch to a different browser until Microsoft issues a patch, and the German government’s Federal Office for Information Security (German) is saying the same thing.
Switching to another browser — even temporarily — might be a viable workaround for many users. It’s not as if Chrome, Firefox, Opera, or Safari are magically immune from zero-day bugs themselves, but at least they aren’t vulnerable to this particular problem that’s casting a shadow over Internet Explorer.
However, for many users, switching away from IE simply isn’t an option. Using Internet Explorer might be mandated by a school or IT department, and there are some sites and services that simply don’t function right (or at all) in anything but Internet Explorer.
Security exploits — especially in Internet Explorer — are nothing new; the best you can do to avoid them is simply to keep software up to date. Windows users should also consider a reputable antivirus and security package. While they can’t patch vulnerabilities in applications or operating systems, they can help protect vulnerable systems from known exploits.
The new zero-day vulnerability shows that criminals looking to exploit software flaws are becoming far more sophisticated — and they apparently have the resources (or at least the patience) to develop intricate attacks aimed at very narrow targets. It’s only a matter of time before some of those attacks make their way into widely-available malware toolkits and go from being quiet, isolated problems impacting an “extremely limited” number of people to problems that effect millions. Right now, we’re only finding out about these exploits because researchers stumble across them via a combination of skill and luck. There’s no telling how many exploits are out there on the Internet, right now, undiscovered.