Microsoft says it is investigating reports of a vulnerability in Internet Explorer 6, 7, 8, and 9 as well as targeted attacks that have attempted to exploit the vulnerability.
The zero-day flaw, which does not affect Explorer 10, was identified by researcher Eric Romang, according to a blog post by security research firm Rapid7, which has incorporated the exploit into its Metasploit testing tool.
“The exploit, which had already been used by malicious attackers in the wild before it was published in Metasploit, is affecting about 41% of Internet users in North America and 32% world-wide [according to StatCounter], the company said.
- By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.
- By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use this vulnerability to execute malicious code.
- An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
“We have added the zero-day exploit module to Metasploit to give the security community a way to test if their systems are vulnerable and to develop counter-measures,” Rapid7 added.
According to a Microsoft security advisory, a remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has been deleted or has not been properly allocated.
The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer, and an attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website, company said.
On completion of its investigation, Microsoft said it will appropriate action, which may include providing a patch in its monthly security update or an out-of-cycle security update.
The company said it is working with partners in the Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.
“In addition, we are actively working with partners to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability,” Microsoft said.
Microsoft continues to encourage customers to follow the guidance in the Microsoft Safety & Security Center of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software.
- Deploy the Enhanced Mitigation Experience Toolkit
- Configure EMET for Internet Explorer from the EMET user interface
- Configure EMET for Internet Explorer from a command line
- Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
- Add sites that you trust to the Internet Explorer Trusted sites zone
Detailed guidelines provided in Microsoft’s security advisory
Microsoft said that in a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. However, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.
Until a patch is available, Microsoft suggests several mitigating factors and a workaround to block known attack vectors before a security update is available. Alternatively, Rapid7 suggests switching to other browsers such as Chrome or Firefox.