Microsoft battles with Internet Explorer zero-day over Christmas

News by Dan Raywood

Microsoft was hit by a zero-day vulnerability that affected versions 6, 7 and 8 of Internet Explorer over the Christmas period.

Microsoft was hit by a zero-day vulnerability that affected versions 6, 7 and 8 of Internet Explorer over the Christmas period.

According to the company, the vulnerability could allow remote code execution of three versions of the browser. Microsoft said that it was aware of targeted attacks that attempt to exploit this vulnerability through Internet Explorer 8, although Internet Explorer 9 and Internet Explorer 10 were not affected by the vulnerability.

It said: “The vulnerability is a remote code execution vulnerability that exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer.

“An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”

In a web-based attack scenario, it said that an attacker could host a website that contains a web page that is used to exploit this vulnerability, while compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could also exploit this vulnerability. However in all cases, an attacker would have no way to force users to visit these websites.

To help solve the situation until a patch is issued, Microsoft has released a workaround Fix It and it encouraged users to use the Microsoft Enhanced Mitigation Experience Toolkit (EMET) to help prevent exploitation of this vulnerability.

The issue was initially detected by FireEye, who received reports that the Council on Foreign Relations (CFR) website was compromised and was hosting malicious content on Boxing Day, and may have been hosting the malicious content as early as Friday 21st December.

Sophos Labs said it has records showing the website was infected as far back as 7th December and that it had seen the exploit used on at least five additional websites.

Jaime Blasco, head of AlienVault's Labs, also saw the CFR infection and said that the malicious code was a JavaScript file that sets a cookie on the victim's system to check if the same machine visited the link before, followed by a check that the victim is running Internet Explorer 8 and that Adobe Flash is present on the browser. He also said that it will not continue if the browser language is not Chinese, Chinese (Taiwan), Japanese, Korean, or Russian.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event 

Webcast: Understanding this year's biggest adversaries - and how to combat them 

Nation-state activity, versatile, slippery strategies and Big Game Hunting - the threats are real, dangerous and ever changing. 
Brought to you in partnership with Crowdstrike