There’s a new flaw in all of the current versions of Internet Explorer that is being used in some targeted attacks right now. Microsoft has confirmed the bug and said it is working on a fix, but has no timeline for the patch release yet. The company did not rule out an emergency out-of-band patch, however.
The new bug in Internet Explorer affects versions 6, 7 and 8, but is not present in IE 9 beta releases, Microsoft said. The company has released an advisory on the IE vulnerability and says that some of the exploit protections it has added to recent versions of IE and Windows can help protect against attacks on the bug. Microsoft said that IE 8 running on Windows XP SP 3 and later versions of Windows has DEP (Data Execution Prevention) enabled by default, which helps stop attacks against this specific bug. IE running in Protected Mode also helps mitigate the effects of attacks.
“The vulnerability exists due to an invalid flag reference within
Internet Explorer. It is possible under certain conditions for the
invalid flag reference to be accessed after an object is deleted. In a
specially-crafted attack, in attempting to access a freed object,
Internet Explorer can be caused to allow remote code execution.
“At
this time, we are aware of targeted attacks attempting to use this
vulnerability. We will continue to monitor the threat environment and
update this advisory if this situation changes. On completion of this
investigation, Microsoft will take the appropriate action to protect our
customers, which may include providing a solution through our monthly
security update release process, or an out-of-cycle security update,
depending on customer needs,” Microsoft said in its advisory.
The new IE flaw is likely to be targeted through drive-by download attacks, a common attack scenario for browser vulnerabilities.
“In a Web-based attack scenario, an attacker could host a Web site that
contains a Web page that is used to exploit this vulnerability. In
addition, compromised Web sites and Web sites that accept or host
user-provided content or advertisements could contain specially crafted
content that could exploit this vulnerability. In all cases, however, an
attacker would have no way to force users to visit these Web sites.
Instead, an attacker would have to convince users to visit the Web site,
typically by getting them to click a link in an e-mail message or
Instant Messenger message that takes users to the attacker’s Web site,” Microsoft said.