Microsoft has issued a security
warning about a zero-day vulnerability in
its Internet Explorer browser, which attackers could exploit to gain the same
user rights as the current user. This means that if the current user is logged
on with administrative user rights, an attacker could take complete control of
a targeted system. The attacker could then install programs and view, change or
delete data as well as create new accounts with full user rights. Microsoft
reported that vulnerability found in Internet Explorer (IE) versions 6 to 11.
Microsoft warned that the
vulnerability may corrupt memory in a way that could allow an attacker to
execute arbitrary code within IE. The company also said an attacker could host
a specially crafted website that is designed to exploit this vulnerability
through IE and then convince a user to view the website. This is typically done
through sending messages through email or instant messenger that are designed
to trick recipients into clicking a link to the malicious website.
“On completion of this
investigation, Microsoft will take the appropriate action to protect customers,
which may include providing a solution through our monthly security update
release process, or an out-of-cycle security update,”.
Users who are using
Windows XP at work or home AND users who have administrator rights of
Laptop/Desktop need to be extra careful.
How can you avoid this
risk?: Until further notice you
should limit use of ANY version of Internet Explorer immediately, in favor of
alternative browsers like Mozilla FireFox or Google Chrome.
Avoid non-business web sites. Do
not click links in emails or click popups from public web sites.
I will let you know when it is safe
again to use IE. If IE is your primary browser please switch to an alternative
one.
Please feel free to contact me for
any further information.
MORE ON IE
VULNERABILITIES
Because an attacker who
successfully exploited this vulnerability could gain the same user rights as
the current user, users whose accounts are configured to have fewer user rights
on the system could be less impacted than users who operate with administrative
user rights.
Microsoft suggests several
steps to limit exposure the vulnerability until a fix is release. These
include:
·
Deploying
the free Enhanced Mitigation Experience Toolkit (EMET) version 4.1
·
Setting
Internet and Local intranet security zone settings to "High" to block
ActiveX Controls and Active Scripting in these zones
·
Configuring
Internet Explorer to prompt before running Active Scripting or to disable Active
Scripting in the Internet and Local intranet security zone
·
Modifying
the Access Control List on VGX.DLL to be more restrictive
·
Enabling
Enhanced Protected Mode For Internet Explorer 11 and Enable 64-bit Processes
for Enhanced Protected Mode
Special
Note for XP Users:
Due to
the recent end of life announcement for XP and IE 8, there is not expected to
be a forthcoming patch for this vulnerability. You are advised to upgrade your
operating systems as soon as possible. In the meantime, install Chrome or
Firefox, and DO NOT use Internet Explorer or Outlook Express.
Network World - Zero-day attacks can strike anywhere, anytime. Here are five example of recent zero-day exploits:
- Windows: In May, Google security engineer Tavis Ormandy announced a zero-day flaw in all currently supported releases of the Windows OS. According to his claim, the troubled code is more than 20 years old, which means “pre-NT”.
- Java: In March, Oracle released emergency patches for Java to address two critical vulnerabilities, one of which was actively used by hackers in targeted attacks. They received the highest possible impact score from Oracle and can be remotely exploited without the need for authentication such as a username and password. The risk applies to both Windows and Mac devices.
- Acrobat Reader: In February, a zero-day exploit was found that bypasses the sandbox anti-exploitation protection in Adobe Reader 10 and 11. According to Costin Raiu, director of Kaspersky Lab's malware research and analysis team, the exploit is highly sophisticated; it is likely either a cyber-espionage tool created by a nation state or one of the so-called lawful interception tools sold by private contractors to law enforcement and intelligence agencies for large sums of money.
- The Elderwood Project: Symantec reported that in 2012 the Elderwood Project used a seemingly “unlimited number of zero-day exploits, attacks on supply chain manufacturers who service the target organization, and shift to ‘watering hole’ attacks” on websites likely visited by the target organization. The report went on to say that the resources needed could only be provided by a large criminal organization supported by a nation state.
- Various Game Engines: In May, Computerworld blogger Darlene Storm reported that thousands of potential attack vectors in game engines put millions of gamers at risk. The article talked about zero-day vulnerabilities in CryEngine 3, Unreal Engine 3, id Tech 4 and Hydrogen Engine.