Zero-day in Internet Explorer causes Microsoft to issue advisory
IE browser XSS flaw opens door to thieves and phishers
Warnings have been made about a zero-day vulnerability in Internet Explorer.
It was discovered by security researcher Eric Romang when he found a '/public/help' folder on one of the Nitro servers where four files were hosted and in tests they dropped files including an executable, SWF file and two HTML files.
Romang said that 'exploit.html' is recognised as a HTML file, while 'Moh2010.swf' is recognised as a Macromedia Flash Player movie, and neither are detected as malicious by any anti-virus software.
Romang said: “The guys who developed this new zero-day were not happy to have been [caught], they just removed all the files from the source server two days after my discovery. But also more interesting they also removed a Java zero-day variant from other folders.”
Symantec's Lionel Payet said: “We have confirmed this vulnerability affects versions 9, 8, and 7 of the Internet Explorer browser. Microsoft has not yet confirmed and released an official statement about this vulnerability.”
Wolfgang Kandek, CTO of Qualys, said: “Analysis of the exploit file shows that it uses Adobe Flash to set up the necessary environment. A Metasploit module for the exploit was released today, allowing one to test the exploit. We expect the exploit to be integrated in all major attack frameworks soon.”
Metasploit project owner Rapid7 said that Microsoft has not yet released a patch for this vulnerability and advised internet users to switch to other browsers until a security update becomes available.
Rapid8 researcher 'sinn3r' wrote on the firm's blog: “The exploit had already been used by malicious attackers in the wild before it was published in Metasploit. The associated vulnerability puts about 41 per cent of internet users in North America and 32 per cent worldwide at risk. We have added the zero-day exploit module to Metasploit to give the security community a way to test if their systems are vulnerable and to develop countermeasures.”
Yunsun Wee, director of the Microsoft Trustworthy Computing Group, said that the company was releasing Security Advisory 2757760 to address the issue, but also pointed out that Internet Explorer 10 is not affected.
“We have received reports of only a small number of targeted attacks and are working to develop a security update to address this issue,” Wee said.
Microsoft recommends deploying the Enhanced Mitigation Experience Toolkit (EMET) to help prevent exploitation by providing mitigations to help protect against this issue, to set internet and local intranet security zone settings to 'high' to block ActiveX Controls and Active Scripting in these zones and configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the internet and local intranet security zones.
Wee said: “Deploying EMET will help to prevent a malicious website from successfully exploiting the issue described in Security Advisory 2757760. EMET in action is unobtrusive and should not affect customers' web browsing experience.”