Sunday, 4 May 2014

Internet Explorer Security Alert :zero-day vulnerability





Microsoft has issued a security warning about a zero-day vulnerability in its Internet Explorer browser, which attackers could exploit to gain the same user rights as the current user. This means that if the current user is logged on with administrative user rights, an attacker could take complete control of a targeted system. The attacker could then install programs and view, change or delete data as well as create new accounts with full user rights. Microsoft reported that vulnerability found in Internet Explorer (IE) versions 6 to 11.

Microsoft warned that the vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code within IE. The company also said an attacker could host a specially crafted website that is designed to exploit this vulnerability through IE and then convince a user to view the website. This is typically done through sending messages through email or instant messenger that are designed to trick recipients into clicking a link to the malicious website.

“On completion of this investigation, Microsoft will take the appropriate action to protect customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update,”.

Users who are using Windows XP at work or home AND users who have administrator rights of Laptop/Desktop need to be extra careful.
How can you avoid this risk?: Until further notice you should limit use of ANY version of Internet Explorer immediately, in favor of alternative browsers like Mozilla FireFox or Google Chrome.
Avoid non-business web sites. Do not click links in emails or click popups from public web sites. 

I will let you know when it is safe again to use IE. If IE is your primary browser please switch to an alternative one. 

Please feel free to contact me for any further information.

MORE ON IE VULNERABILITIES

Because an attacker who successfully exploited this vulnerability could gain the same user rights as the current user, users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Microsoft suggests several steps to limit exposure the vulnerability until a fix is release. These include:
·         Deploying the free Enhanced Mitigation Experience Toolkit (EMET) version 4.1
·         Setting Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
·         Configuring Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
·         Modifying the Access Control List on VGX.DLL to be more restrictive
·         Enabling Enhanced Protected Mode For Internet Explorer 11 and Enable 64-bit Processes for Enhanced Protected Mode


Special Note for XP Users:
Due to the recent end of life announcement for XP and IE 8, there is not expected to be a forthcoming patch for this vulnerability. You are advised to upgrade your operating systems as soon as possible. In the meantime, install Chrome or Firefox, and DO NOT use Internet Explorer or Outlook Express.


5 examples of zero-day attacks


Network World - Zero-day attacks can strike anywhere, anytime. Here are five example of recent zero-day exploits:
  • Windows: 
In May, Google security engineer Tavis Ormandy announced a zero-day flaw in all currently supported releases of the Windows OS. According to his claim, the troubled code is more than 20 years old, which means “pre-NT”.
  • Java: 
In March, Oracle released emergency patches for Java to address two critical vulnerabilities, one of which was actively used by hackers in targeted attacks. They received the highest possible impact score from Oracle and can be remotely exploited without the need for authentication such as a username and password. The risk applies to both Windows and Mac devices.
  • Acrobat Reader: 
In February, a zero-day exploit was found that bypasses the sandbox anti-exploitation protection in Adobe Reader 10 and 11. According to Costin Raiu, director of Kaspersky Lab's malware research and analysis team, the exploit is highly sophisticated; it is likely either a cyber-espionage tool created by a nation state or one of the so-called lawful interception tools sold by private contractors to law enforcement and intelligence agencies for large sums of money.
  • The Elderwood Project:
 Symantec reported that in 2012 the Elderwood Project used a seemingly “unlimited number of zero-day exploits, attacks on supply chain manufacturers who service the target organization, and shift to ‘watering hole’ attacks” on websites likely visited by the target organization. The report went on to say that the resources needed could only be provided by a large criminal organization supported by a nation state.
  • Various Game Engines: 
In May, Computerworld blogger Darlene Storm reported that thousands of potential attack vectors in game engines put millions of gamers at risk. The article talked about zero-day vulnerabilities in CryEngine 3, Unreal Engine 3, id Tech 4 and Hydrogen Engine.