bit-tech.net

Microsoft warns of Internet Explorer zero-day vulnerability

Microsoft warns of Internet Explorer zero-day vulnerability

Internet Explorer 8 and older, but not Internet Explorer 9 or 10, is vulnerable to a remote code execution attack, Microsoft has warned.

Microsoft has released a temporary 'Fix It' for a zero-day flaw affecting older versions of its Internet Explorer browser, following reports that the vulnerability is being exploited by ne'er-do-wells.

The flaw, identified in Microsoft Security Advisory 2794220, affects Internet Explorer 6, 7 and 8, but is not thought to be exploitable in Internet Explorer 9 or 10 - meaning Windows 8 users are off the hook on this one. For that affected, however, it's a serious bug: the flaw, first discovered by security research firm FireEye, allows an attacker to execute code under the privilege level of the current user.

To exploit the vulnerability, the attacker must somehow convince his or her victim to visit a site containing the malicious code. These sites have already been spotted in the wild, with researchers discovering multiple sites infected with the malware as far back as December. By injecting their code into apparently innocent sites - the first site to host the exploit code was the US Council on Foreign Relations' official website - attackers are able to infect all visitors using affected browser versions.

The obvious solution is to ditch the outdated browser in question: Microsoft's Internet Explorer 9 and 10 are both immune to this particular attack, as are third-party browsers from the likes of the Mozilla Foundation, Opera and Google. Alternatively, Microsoft has made a 'Fix It' pre-patch available, which disables the affected MSHTML shim until a proper patch is provided.

With a total of six websites known to be infected with the exploit code according to figures from anti-virus firm Sophos, the attack isn't exactly wide-spread - but the seriousness of a remote code execution attack, and the likelihood that malware authors will increase their efforts to make use of the flaw ahead of an official patch from Microsoft, means that users are well advised to take action as soon as possible.

'If you use Internet Explorer, be sure you are using at least version 9 to avoid being a victim of these attacks. If you can't upgrade, consider using an alternative browser until an official fix is available,' Sophos' Chester Wisniewski advised following analysis of the vulnerability. 'Microsoft's Fix It is intended as a temporary workaround that could also be considered, but until an official fix is available I recommend avoiding IE 8 and lower.'

6 Comments

Discuss in the forums Reply
PingCrosby 2nd January 2013, 11:20 Quote
I once knew a ne'er-do-well who'd admitted to doing 35mph in a 30mph zone, I know, shocking isn't it. Anyway I fessed him up to the pigs, mind you this could also have had something to do with him having his dabs on my wifes sparklers, no-one has their dabs on my wifes sparklers apart from me. Anyways Freddie ' The Fingers' Finlinson is doin chokey at her majesty's pleasure and has just found out why Mr Big is called Mr Big when he went to pick up his soap in the showers..... Happy Easter
Aracos 2nd January 2013, 20:17 Quote
If people are still using IE 6, 7 or 8 then they do sort of deserve these problems. IE9 has been out for 21 months, surely that is long enough for businesses to upgrade?
AmEv 2nd January 2013, 21:29 Quote
Quote:
Originally Posted by Aracos
If people are still using IE 6, 7 or 8 then they do sort of deserve these problems. IE9 has been out for 21 months, surely that is long enough for businesses to upgrade?

Except that most of the local businesses I know of still use XP. They don't see the worth of upgrading to 7.

I'm sure that most small businesses that bought used computers years ago, before 7 was released, downgraded to XP from Vista.


Oh, and 9 isn't available on XP.
monkeydud 2nd January 2013, 22:32 Quote
We were stuck on ie5 in the hospital In work at and they have only gone to 7.seems stupid to me to leave themselves so open to issues.

Sent from my HTC One X using Tapatalk 2
Anfield 2nd January 2013, 22:47 Quote
Quote:
Originally Posted by Aracos
If people are still using IE 6, 7 or 8 then they do sort of deserve these problems. IE9 has been out for 21 months, surely that is long enough for businesses to upgrade?

There is very often old company specific software around that doesn't play nice with newer IE versions (not even to mention alternative browsers) due to those "new" browsers often adhering to standards while a lot of company internal software was written specifically for the old IE versions that didn't follow standards.
Plus many companies lock down the internet heavily anyway for the bulk of employees, so the risk isn't as big as if you where to use those ancient IE versions at home, although personally I'd still call it grossly irresponsible.
SuicideNeil 3rd January 2013, 02:34 Quote
^That. In my previous job we had 2 office PCs ( each one for specific etail stuff ), both running XP. One was neutered so that internet access was disabled from the headoffice end ( despite my best efforts.. ), it could only receive product updates, label files & price corrections, plus transmit orders via specific software. The other had IE6 but was run through proxy software so that no executable files could be ran ( not even windows updates- the irony... ) & any website deemed non-productive was blocked.

Home users is another issue though- anyone not totally computer illiterate should be more upto date....
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums