Microsoft issued a security advisory Monday night and recommended several workarounds to mitigate a zero-day vulnerability in Internet Explorer reported over the weekend that is being exploited in the wild. Microsoft said it is still investigating the vulnerability, and may issue an out-of-band security update to patch the problem, or wait until the next Patch Tuesday update Oct. 9.
The latest IE zero-day flaw is a memory corruption bug that would give an attacker the ability to remotely execute code. Active, targeted exploits were also detected and linked to Chinese hackers Nitro, who were also tied to exploits of two Java zero-day vulnerabilities three weeks ago.
IE versions 6-9 are vulnerable, Microsoft said.
Microsoft recommends a series of workarounds:
- Setting Internet and local Internet security zone settings to high, which would block ActiveX Controls and Active Scripting in both zones
- Configure IE to prompt the user before running Active Scripting, or disable Active Scripting in both zones
- Use of Microsoft’s Enhanced Mitigation Experience Toolkit provides mitigations as well, and would not impact website usability, as both of the first two options might.
Microsoft also said that IE running on Windows Server 2003, 2008 and 2008R2 runs in a restricted mode that mitigates the vulnerability. Outlook, Outlook Express and Windows Mail also open HTML messages in a restricted zone, mitigating the vulnerabilty but should a user click a link in a message, they could still be vulnerable to exploit.
The memory corruption vulnerability stems from the way IE accesses an object that’s been deleted or not properly allocated. Attackers would have to lure a user to an infected website designed to exploit the vulnerability; a successful exploit would give an attacker the abilty to execute code in the context of the user.
The bug was discovered by security researcher Eric Romang over the weekend. Romang was monitoring servers infected by exploits against the Java zero-day vulnerabilities when he discovered the IE exploits tucked away on the same servers. The exploit files he saw included an exploit HTML page, an infected Flash movie and executable that gets dropped on the victime machine, none of which he said were detected by antimalware protections.
Romang, a Metasploit contributor, worked with other researchers on an exploit module that was inserted into Metasploit on Monday.
The Nitro hacker group is also reportedly behind active targeted attacks exploiting the zero-day vulnerabilities in Oracle’s Java 7 that installed versions of the Poison Ivy remote access trojan (RAT) on compromised machines. Oracle has patched both vulnerabilities in Java 7 Update7, but researchers quickly found a new bug enabled by the update that allowed a complete Java sandbox escape.
Windows system administrators had a quiet September security update cycle last week and were urged to prepare in advance for an October change to certificate key length requirements. Microsoft released two bulletins rated “important” and reinforced it will no longer accept digital certificates with key lengths shorter than 1024. Microsoft will release an automated updater that will be a mechanism to revoke untrusted or forged certificates going forward. In addition, certificates with the shorter key lengths which will automatically be considered invalid regardless of their trustworthiness. The updater will check daily for information about certificates that are no longer valid and will automatically revoke them; previously, this was a manual process.