IE zero-day flaw unpatched on XP

Barely three weeks after Microsoft shut-off patching support for Windows XP and a new zero-day flaw for Internet Explorer is likely to go unpatched on the dated operating system.

IE zero-day flaw unpatched on XP
IE zero-day flaw unpatched on XP

In a security advisory note post published over the weekend, Microsoft revealed that the remote code execution vulnerability affects versions of Internet Explorer from 6 through to 11 - with these running on all versions of Windows from Vista to 8 and Windows Server 2003 to 2012 R2.


What's most worrying about the flaw however is that - should a user click on a malicious phishing link - it potentially allows hackers to access memory data on a user's computer or even install and delete programmes if the user has administrative user rights.


Microsoft explains more: “An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”


The Redmond software giant is now investigating and has assigned the vulnerability an official name of CVE-2014-1776.


"On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs."


This ‘appropriate action' is likely to entail patches for more recent versions of Windows and Windows Server, but the one notable absence in all this is Windows XP, which went end-of-life on April 8.


With many businesses still running the 12-year old operating system, Microsoft admitted that it's likely to result in ‘targeted attacks' - although some companies are now paying the firm roughly £120 per machine per year for extended support.


"At this time we are aware of limited, targeted attacks. We encourage customers to follow the suggested mitigations outlined in the security advisory while an update is finalised", said a spokesman.

 

Independent security researcher Graham Cluley said that the vulnerability will probably remain unpatched on Windows XP.

 

“That's not because it's immune to attack. It's because Microsoft released its last ever security patches for Windows XP on 8 April 2014,” wrote Cluley in a blog post.

“As such, this is worth saying out loud: If you are still running Windows XP you will never receive a patch for this zero-day vulnerability,” he said.

Anti-virus maker Symantec also spotted the vulnerability while FireEye - which protects against advanced persistent threats - has since blogged how the zero-day bypasses Microsoft's ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) security protections. The firm added that NetMarketShare stats suggest that the vulnerability affects approximately a half of the browser market.

 

Pedro Bustamante, director of special projects at Malwarebytes, believes that companies that are yet to upgrade to Windows 7 could be targeted by spam and phishing attacks.


“The interim risk to people and businesses using IE 6 to 11, until MS pushes out a patch, is worrying,” he said in an email to SCMagazineUK.com.


“However, there is also an ongoing problem that anyone still using XP will be completely exposed as long as they continue to use the OS, as there will never be a patch.  This is worrying because it can put a significant amount of personal data at risk from highly stealthy attacks, including bank details and other private information.


“Businesses using IE should remain ultra-cautious as they will obviously hold a far greater cache of potentially sensitive information. In large organisations, the default advice of switching to another browser may be difficult to administer. Therefore, if you are running a corporate network, this is a prime opportunity to ensure all software updates are applied, anti-malware and anti-virus definitions are current and increased vigilance around spam and phishing.  


All is not lost for organisations still reliant on the OS though; Microsoft has advised firms to deploy version 4.1 of The Enhanced Mitigation Experience Toolkit (EMET) as the software “helps mitigate the exploitation of this vulnerability by adding additional protection layers that make the vulnerability harder to exploit.” 

 

Furthermore, it has advised companies to switch on IE's Enhanced Protected Mode, or set security settings to “High” to stop ActiveX controls - something anti-virus vendor ESET also advises.


“Firstly, don't panic. The known attacks at present are limited in scope and volume. Being reasonably careful about which sites you visit is in itself likely to reduce the risk. On the other hand, users shouldn't lapse into complacency,”  said ESET senior research fellow David Harley in an email to SCMagazineUK.com.

 

“Setting IE Active Scripting and ActiveX to prompt can be mildly irritating for a user, but it does seems to reduce the attack surface if you actually disallow it on prompt, unless you know you need it, or try disabling it altogether.

 

“The simplest route is to set IE security levels to ‘high', or use Enhanced Protected Mode in IE versions that support it. As a way of generally decreasing the attack surface on an unsupported OS, Windows XP users should already be setting IE security level to ‘high'.”