Microsoft zero-day attacks target all versions of IE

In an update to an earlier advisory, Microsoft warned that all versions of Internet Explorer are vulnerable to an attack on an unpatched XML handling flaw.

Microsoft is warning customers that ongoing zero-day attacks against a flaw in Internet Explorer 7 now affect all versions of the Web browser.

SearchSecurity.com:
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Earlier attacks were only targeting IE 7, but the underlying vulnerability, an error in the way the browser processes XML, affects all currently supported versions of IE. Security experts are warning that the threat is serious because the vulnerability could be exploited by an attacker to gain the same user rights as the local user, and ultimately gain access to sensitive data.

"Our latest information is that there are still limited attacks seeking to load malicious software on vulnerable systems," Christopher Budd, security response communications lead for Microsoft, wrote on the Microsoft Security Response Center (MSRC) blog.

Microsoft browser flaws:
Microsoft acknowledges IE 7 zero-day attacks: The exploit was mistakenly released by a Chinese security team.

Unpatched Internet Explorer 7 flaw under attack (Security Bytes blog) A new exploit for IE 7 is being used against fully patched Windows XP and Windows 2003 systems.

Microsoft fixes critical flaws in Office, IE Dangerous flaws could allow an attacker to access sensitive files and gain complete control of a computer. More than two dozen flaws were patched.

In the updated advisory, Microsoft recommends setting the Internet zone security setting to high and using ACLs to disable Ole32db.dll. The change should lower the threat until a patch is released, Budd said.

Earlier this week, Verisign's iDefense security group said a group of Chinese security researchers may have mistakenly released the code in the wild. The exploit is being tied to the Chinese Knownsec security team, which admitted the mistake in a blog post.

Danish vulnerability clearinghouse Secunia has given the flaw an extremely critical rating because the flaw is being actively exploited.

In a McAfee Avert Labs blog post, security researchers Geok Meng Ong and Xiaobo Chen explained how the exploit contains a downloader that installs malware onto a victim's machine.

"We have confirmed this vulnerability to be affecting, at least, a fully patched Windows XP SP3 and a Vista SP1 system," the researchers said. "The exploit uses publicly known heap-spray techniques that enable control over a vtable pointer, allowing arbitrary code execution."

The zero-day was discovered just a day after Microsoft issued eight security bulletins to repair 28 flaws in its product line, including several serious flaws in Internet Explorer. Bulletin MS08-073 addresses memory corruption errors in the way IE handles certain navigation methods. Microsoft gave the flaws a "1" on its Exploitability Index, warning that consistent exploit code is likely in the wild.

Dig deeper on Web Browser Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close