With Internet Explorer users still exposed to as many as four active exploits of a zero-day vulnerability in the browser, Microsoft Tuesday night said it will release a FixIt in the next couple of days that will address the issue.

A FixIt is an automated tool provided by Microsoft that diagnoses and repairs problems on endpoints. The FixIt is meant as a temporary repair until Microsoft can provide either an out-of-band patch or a security update on Patch Tuesday Oct. 9.

“While we have only seen a few attempts to exploit this issue, impacting an extremely limited number of people, we are taking this proactive step to help ensure Internet Explorer customers are protected and able to safely browse online,” said Yunsun Wee, director of Microsoft Trustworthy Computing in a statement.

The announcement came hours after the discovery of additional servers hosting exploits. AlienVault Labs manager Jaime Blasco found the files and determined that the attackers were using a new malware payload in one exploit, and that they were in possession of the exploit prior to its public disclosure and the availability of a Metasploit exploit module.

The zero-day in IE 6-9 is a use-after-free memory corruption vulnerability, similar to a buffer overflow, that would enable an attacker to remotely execute code on a compromised machine. The original exploit payload dropped the PoisonIvy remote access Trojan (RAT) via a corrupted Flash movie file. The latest payload discovered dropped the PlugX RAT via the same corrupted Flash movie, Blasco said.

He also said the new exploits are the work of the Chinese hacker group Nitro, the same group behind a pair of Java zero-day exploits disclosed in August.

Blasco also said the new exploits appear to be targeting defense contractors in the United States and India.

Microsoft recommended several workarounds Tuesday morning before announcing its intention to send out a FixIt.

  • Setting Internet and local Internet security zone settings to high, which would block ActiveX Controls and Active Scripting in both zones
  • Configure IE to prompt the user before running Active Scripting, or disable Active Scripting in both zones
  • Use of Microsoft’s Enhanced Mitigation Experience Toolkit provides mitigations as well, and would not impact website usability, as both of the first two options might.

Microsoft also said that IE running on Windows Server 2003, 2008 and 2008R2 runs in a restricted mode that mitigates the vulnerability. Outlook, Outlook Express and Windows Mail also open HTML messages in a restricted zone, mitigating the vulnerabilty but should a user click a link in a message, they could still be vulnerable to exploit.


Categories: Malware, Vulnerabilities