Microsoft on Wednesday issued a security advisory to users of its Internet Explorer Web browser about a newly disclosed vulnerability that could be exploited and used to run malicious code on vulnerable Windows systems.
The Redmond, Washington company said it is investigating new, public reports of a vulnerability in all supported versions of IE. The company said it is working on a patch and cooperating with anti malware vendors in its Microsoft Active Protections Program (MAPP) and Microsoft Security Response Alliance to help expedite the distribution of protections against exploits using the hole. However, the company cautioned that the newly discovered vulnerability is not serious enough to warrant an out of cycle patch.
As reported by Threatpost, the new vulnerability was first disclosed by the IT security firm Vupen on December 9 and affects most versions of Microsoft’s Internet Explorer Web browser. If exploited, the hole could allow remote attackers to circumvent defensive features in fully patched WIndows 7 and Windows Vista machines, and attack Microsoft’s latest version of Internet Explorer, IE8 to run malicious code on vulnerable systems.
The company, based in Montpellier, France, said it had discovered a “use-after-free” error in the mshtml.dll library – IE’s HTML rendering engine – that could allow attackers to take complete control of a vulnerable system.Use-after-free errors happen when a program continues using a pointer to an area of computer memory after that memory has been freed. In cases, the freed memory can be re-allocated and used to launch attacks, such as buffer overflows, that can result in malicious code being run on a vulnerable system, according to OWASP.In this case, the flaw could be exploited when IE loaded specially formated Cascading Style Sheets (CSS) files that included @import rules, which allow Web sites to incorporate style sheets from external sites.
The vulnerability is what is describes as a “use-after-free” error in the mshtml.dll library – IE’s HTML rendering engine. Use-after-free errors happen when a program continues using a pointer to an area of computer memory after that memory has been freed. In cases, the freed memory can be re-allocated and used to launch attacks, such as buffer overflows, that can result in malicious code being run on a vulnerable system, according to OWASP.
In this case, the flaw could be exploited when IE loads specially formated Cascading Style Sheets (CSS) files that included @import rules, which allow Web sites to incorporate style sheets from external sites, Vupen said.
In its advisory, Microsoft said that existing features like IE Protected Mode and the default Enhanced Security Configuration for newer versions of IE on Windows Server 2003 and 2008 would mitigate the impact of the vulnerability by reducing the privileges that attackers have on Windows systems should they successfully compromise IE.
However, a version of a public exploit has already been added to the Metasploit Framework, a free testing tool. That, when combined with other attack techniques, could allow attackers to circumvent more recent Microsoft protections such as Data Execution Protection (DEP) and Address Space Layout Randomization (ASLR), which are specifically designed to thwart malicious code.
In a separate post, Fermin J. Serna, a Security Software Engineer at Microsoft explained how those technologies might be circumented and suggested a workaround to prevent them from being defeated in an attack using the new IE hole.