How to protect yourself from Internet Explorer’s latest zero-day vulnerability

We know it sounds like a broken record: A new security vulnerability has been found in Microsoft Internet Explorer that can enable attackers to take over a computer, collect personal data, run any software they like, yada yada yada. However, this one comes with a bit of a twist: The vulnerability is being actively exploited in the wild, and was apparently produced by the same group of Chinese attackers who launched targeted attacks using the critical Java vulnerabilities Oracle patched last month. All it takes to take over a vulnerable system is visiting a maliciously-crafted Web site.

More bad news: The bug effects Internet Explorer 7, 8, and 9 on Windows XP, Windows Vista, and Windows 7, meaning millions of people are potentially vulnerable. Even more bad news: Microsoft has not yet issued a patch, and security companies (and even governments) are recommending users stop using Internet Explorer and switch to another browser — at least into the exploit is patched.

There is some good news: IE users can protect themselves in the meantime by installing Microsoft’s Enhanced Mitigation Experience Toolkit — but that may not be a slam dunk.

What’s the problem?

The exploit was first uncovered and publicized by Luxembourg-based security researcher Eric Romang, who found it on a server used by Chinese malware developers. The Metasploit team and Romang quickly verified the vulnerability and added it to their open source vulnerability testing framework. Normally security researchers quietly report vulnerabilities to appropriate companies and only release details when a patch becomes available. However, in this case the exploit was discovered out and around on the Internet, so going public seemed like the fastest way to help protect people.

There are indications this exploit was developed by the the same group that developed, the so-called “Nitro” attacks of 2011, which appear to have been industrial espionage efforts targeting defense and chemical companies. The new zero-day exploit seems to be along the same lines. AlienVault manager Jaime Blasco has uncovered evidence sites carrying the new IE vulnerability may be targeting defense contractors.

The attack itself can be placed in any Web page. It loads an Adobe Flash file that performs a “heap spray” (basically, seeding code throughout memory used by Internet Explorer) to load an iframe which, in turn, downloads the malware executable. This executable enables attackers to monitor remote computers and steal data. It’s important to note that while the current attack uses Adobe Flash, this particular vulnerability itself is not in Flash, but Internet Explorer.

The team that developed the zero-day exploit was apparently not very happy to be outed by Romang: The attack disappeared from the server where Romang found it over the weekend.

By Monday, Microsoft had issued a security advisory on the vulnerability.

Who’s affected?

Internet Explorer 7, 8, and 9 are running under Windows XP, Windows Vista, and Windows 7 are all vulnerable to the attack. Right now, the exploit appears to only be used to target specific industries — probably at the business end of a “spearphishing” campaign. Microsoft’s Director of Trustworthy Computing Yunsun Wee claims an “extremely limited number of people” have been impacted by the problem.

Nonetheless, there’s absolutely no telling how long this exploit has been used in the wild — it could easily pre-date things like the recent Java exploits. The number of potentially vulnerable users is gigantic: Security firm Rapid7 estimated as many as 41 percent of North American Internet users are vulnerable to the exploit. As with last month’s Java vulnerabilities, there’s always the possibility this exploit will make it into frameworks and toolkits used by a much wider group of malware authors and hackers. If that happens, the attack could suddenly be targeting millions of people.

What to do?

Microsoft’s Yunsun Wee says a fix will be available from Microsoft “within the next few days.” Users will be able to patch Internet Explorer with a one-click installation, and Microsoft claims the patch won’t impact users’ Web browsing, or even require users reboot their computers.

In the meantime, Microsoft has recommended users install the Enhanced Mitigation Experience Toolkit (EMET), a collection of tools and utilities that adds security layers and defenses to older versions of Windows and hardens more recent versions of Windows against known exploits.

EMET is separate from Microsoft’s product-related security updates. The idea is to offer patches, lockdowns, and mitigation techniques that aren’t tied to any particular product on a schedule that also not tied to any particular product. EMET can’t really protect against new exploits, but can help protect Windows users against known exploits and variants on known exploits. It has to be separately downloaded, installed, and then manually configured to protect against this particular threat.

Microsoft also recommends Internet Explorer users set their Internet and local intranet security zone settings to “High” to prevent ActiveX and Active Scripting components from loading from sites in those zones. This will protect users against the attack, but it’s also pretty likely to impact Web usability. If sites have problems, users will have to add sites they trust to IE’s Trusted Sites zone to get them to work — and once a site gets added to that list, most users never remember to remove it again once a patch is available.

So what about another browser?

Of course, another way to avoid this zero-day vulnerability is simply not to use Internet Explorer. It’s worth noting that none of the other mainstream Web browsers available for Windows — including Chrome, Firefox, Opera, and Safari — are vulnerable to this exploit. In fact, many security experts are recommending Internet Explorer users switch to a different browser until Microsoft issues a patch, and the German government’s Federal Office for Information Security (German) is saying the same thing.

Switching to another browser — even temporarily — might be a viable workaround for many users. It’s not as if Chrome, Firefox, Opera, or Safari are magically immune from zero-day bugs themselves, but at least they aren’t vulnerable to this particular problem that’s casting a shadow over Internet Explorer.

However, for many users, switching away from IE simply isn’t an option. Using Internet Explorer might be mandated by a school or IT department, and there are some sites and services that simply don’t function right (or at all) in anything but Internet Explorer.

Bottom line

Security exploits — especially in Internet Explorer — are nothing new; the best you can do to avoid them is simply to keep software up to date. Windows users should also consider a reputable antivirus and security package. While they can’t patch vulnerabilities in applications or operating systems, they can help protect vulnerable systems from known exploits.

The new zero-day vulnerability shows that criminals looking to exploit software flaws are becoming far more sophisticated — and they apparently have the resources (or at least the patience) to develop intricate attacks aimed at very narrow targets. It’s only a matter of time before some of those attacks make their way into widely-available malware toolkits and go from being quiet, isolated problems impacting an “extremely limited” number of people to problems that effect millions. Right now, we’re only finding out about these exploits because researchers stumble across them via a combination of skill and luck. There’s no telling how many exploits are out there on the Internet, right now, undiscovered.


Smishing sounds funny, but it’s a serious threat to your phone’s security

We all know phishing is a huge security problem, but most people still believe it’s a problem limited to email. According to new reports, however, phishing scams are attempting to exploit your trust in text messages.

Will Chrome remain our favorite web browser with the arrival of newest version?

Choosing a web browser for surfing the web can be tough with all the great options available. Here we pit the latest versions of Chrome, Opera, Firefox, Edge, and Vivaldi against one another to find the best browsers for most users.

Hacker infects 100K routers in latest botnet attack aimed at sending email spam

An attacker is trying to infect your router with malware in order to send spam emails. If your router uses a Broadcom UPnP SDK, it could become vulnerable to this attack. So far, 100,000 routers worldwide have been infected.

Don't take your provider's word for it: Here's how to test your internet speed

If you're worried that you aren't getting the most from your internet package, speed tests are a great way to find out what your real connection is capable of. Here are the best internet speed tests available today.

These Windows 10 keyboard shortcuts will update your OG Windows skills

Windows 10 has many new features, and they come flanked with useful new keyboard shortcuts. Check out some of the new Windows 10 keyboard shortcuts to improve your user experience.

Protecting your PDF with a password isn't difficult. Just follow these steps

If you need to learn how to password protect a PDF, you have come to the right place. This guide will walk you through the process of protecting your documents step-by-step, whether you're running a MacOS or Windows machine.

iPhone users are finding themselves randomly locked out of their Apple ID

According to posts on Reddit and Twitter, it looks like users on Reddit and Twitter having some issues with their Apple accounts. Specifically, it seems as though users are getting randomly locked out of their Apple IDs.

Don't know what to do with all your old DVDs? Here's how to convert them to MP4

Given today's rapid technological advancements, physical discs are quickly becoming a thing of the past. Check out our guide on how to convert a DVD to MP4, so you can ditch discs for digital files.

Here’s how to install Windows on a Chromebook

If you want to push the functionality of your new Chromebook to another level, and Linux isn't really your deal, you can try installing Windows on a Chromebook. Here's how to do so, just in case you're looking to nab some Windows-only…

Edit portraits with A.I. and adjust focus in the new ON1 Photo RAW 2019 editor

ON1 Photo RAW 2019 now has a dedicated tab for portraits that automatically recognizes faces to help with retouching. The update also brings a new focus stacking tool, enhancements to layers, and improvements to local adjustments.

Your MacBook can live in the lap of luxury with this leather case

Though there are several cases which we think are best for covering up MacBooks, Twelve South's Journal case is one of the newest available, providing luxurious leather coverage for your Apple laptop.

Here's our head-to-head comparison of Pandora and Spotify

Which music streaming platform is best for you? We pit Spotify versus Pandora, two mighty streaming services with on-demand music and massive catalogs, comparing every facet of the two services to help you decide which is best.

15-inch MacBook Pro gets more powerful with new AMD Vega GPUs

Confirming Apple's quiet October announcement, new configurations for the top-range 15-inch Apple MacBook laptop are now available, coming complete with AMD Pro Vega 16 or Pro Vega 20 graphics cards on board.
Emerging Tech

Intel’s new ‘neural network on a stick’ aims to unchain A.I. from the internet

To kick off its first developer conference in Beijing, Intel unveiled the second generation of its Neural Compute Stick -- a device that promises to democratize the development of computer vision A.I. applications.