Security experts are warning enterprise and consumer users to stay away from Internet Explorer until Microsoft issues a patch for a new zero-day vulnerability in the browser. Active exploits have been discovered in the wild and are being linked to Nitro, the same group of hackers from China who were exploiting two Java zero-days in late August.
An exploit was developed over the weekend for the Metasploit exploit toolkit after the zero-day was found by researcher and Metasploit contributor Eric Romang. Romang discovered a new use-after-free vulnerability in IE was being exploited after monitoring some of the servers infected in the Java attacks.
IE 7, 8 and 9 are vulnerable on Windows XP, Vista and 7, researchers at Metasploit said.
“Since Microsoft has not released a patch for this vulnerability yet, Internet users are strongly advised to switch to other browsers such as Chrome or Firefox until a security update becomes available,” a post on the Metasploit community blog said. “The exploit had already been used by malicious attackers in the wild before it was published in Metasploit.”
Tod Beardsley, Metasploit Engineering Manager, said the vulnerability is similar to a buffer overflow.
“The gist of it is, if a user visits a website with the exploit on it, the attacker can run code of his choice in the context of the user,” Beardsley said. “Typically, you’ll get a command shell and you’ll be able to do anything the user can, such as delete or add files or change registry values.”
Romang had a busy weekend. Monitoring the infected servers on Saturday, he found four files on a /public/help folder. The files included an executable, two HTML files and a Flash movie. The movie would load upon a user landing on an infected webpage. The movie loads the executable and the other HTML page, dropping the executable onto the victim machine. He tested the files on a patched Windows XP Pro SP3 machines with a patched Adobe Flash player and was still infected, he said. Romang added that none of the files were detected by antimalware protection.
The IE zero-day comes on the heels of a zero-day in Oracle’s Java 7; exploits were being used in targeted attacks that installed a version of the Poison Ivy Remote Access Trojan on victim machines. Only Java 7 is vulnerable and exploits worked against fully patched Windows 7 machines with Java 7 update 6 running. Oracle has since patched both vulnerabilities in Java 7, update 7, but shortly after the fix was released, researchers found a new bug that allowed a complete Java sandbox escape.
Desktop and Windows admin have a busy time ahead of them. “I can confirm, the zero-day season is really not over yet,” Romang said.