Microsoft issues advisory on Internet Explorer zero-day

Targeted attacks against Google, Adobe and other firms used a hole in Internet Explorer. The flaw affects nearly all versions of the browser.

A zero-day vulnerability in Internet Explorer was used by hackers in a recent spate of targeted attacks against Google, Adobe and other firms, according to an advisory issued by Microsoft late Thursday.

Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE 6 at this time.
Mike Reavey
group managerMicrosoft Security Response Center

The software giant said it was cooperating with Google and other companies and providing information to investigators. The remote code execution vulnerability affects nearly all supported versions of IE running on nearly every version of Windows. IE 5.01 on Windows 2000 is not affected.

"Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE 6 at this time," Mike Reavey, the group manager at the Microsoft Security Response Center wrote on the MSRC blog. "Our teams are currently working to develop an update and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution."

Attacks targeting specific corporate networks are becoming more prevalent, Reavey said, urging enterprises to deploy multiple layers of defenses to improve their security posture. Google and Adobe acknowledged in separate messages this week that their corporate systems had been targeted by hackers who used sophisticated social engineering tactics. McAfee said its researchers discovered the IE zero-day vulnerability during an analysis of the malware used in the attacks.

Related news:
Hackers used IE zero-day in Google, Adobe attacks, McAfee says: The recent targeted attacks against Google, Adobe and possibly dozens of other firms used an unpatched vulnerability in Internet Explorer, according to researchers at McAfee.

Chinese hacker attacks target Google Gmail accounts, top tech firms: Up to 33 Silicon Valley tech firms, financial companies and government contractors have been breached by a sophisticated attack believed to have originated in China.

In its advisory, Microsoft said customers could mitigate the threat posed by the IE zero-day flaw by setting local intranet security zone settings to high and using protected Mode in IE 7 on Windows Vista and later. The higher security zone setting makes the browser check with the user before running ActiveX Controls and Active Scripting. In addition, Data Execution Prevention (DEP) can be enabled to help mitigate online attacks. DEP is enabled by default in IE 8 but must be manually enabled in prior versions, Reavey said.

"The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted.," Microsoft said in its advisory. "In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution."

The flaw is exploited by setting up specially crafted content on an attack website. Microsoft said the attacker would have to get the user to visit the website by tricking them into clicking on a link within an email message.

"It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems," Microsoft said.

Dig deeper on Windows Security: Alerts, Updates and Best Practices

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close