Microsoft is releasing an emergency out-of-band update for Internet Explorer on Thursday, repairing multiple vulnerabilities in the browser including a zero-day flaw being exploited in targeted attacks against corporate networks.
Joshua Corman, Research Director, The 451 Group
In an advance notification, Microsoft said the update is rated critical and would be released at about 1 p.m. ET. While the patch will block attacks targeting the IE zero-day vulnerability to gain a foothold into corporate networks, security experts say enterprises should be prepared for an onslaught of new hacking attempts.
"Once applied, customers are protected against the known attacks that have been widely publicized," said Jerry Bryant, senior security program manager with the Microsoft Security Response Center. "We recommend that customers install the update as soon as it is available."
In its updated security advisory, Microsoft said attackers are exploiting an invalid pointer reference within Internet Explorer. The exploit code being passed by attackers causes IE to attempt to access a freed object, creating a condition that allows remote code execution. Attacks have been limited and only successful on IE 6, although IE 7 and IE8 also contain the flaw, Microsoft said.
Researchers have developed proof-of-concept code enabling an attacker to exploit the flaw and bypass Data Execution Protection (DEP) to view files running on Vista and Windows 7. Microsoft said setting the browser's Internet zone to high disables scripting and helps protect against DEP bypass techniques.
Ongoing cyberespionage campaign:
Chinese hacker attacks target Google Gmail accounts, top tech firms: Up to 33 Silicon Valley tech firms, financial companies and government contractors have been breached by a sophisticated attack believed to have originated in China.
Hackers used IE zero-day in Google, Adobe attacks, McAfee says: The recent targeted attacks against Google, Adobe and possibly dozens of other firms used an unpatched vulnerability in Internet Explorer, according to researchers at McAfee.
Microsoft issues advisory on Internet Explorer zero-day: Targeted attacks against Google, Adobe and other firms used a hole in Internet Explorer. The flaw affects nearly all versions of the browser.
Microsoft to release emergency Internet Explorer update: Patch will block ongoing attacks targeting Internet Explorer 6. Exploit code is available targeting all versions of IE.
Latest attacks are not new, nor sophisticated, expert says
Search engine giant Google announced last week that it and dozens of other Silicon Valley technology firms were targeted in a string of sophisticated attacks. The cyberespionage is believed to be carried out by Chinese computer hackers committed to doing anything they can to infiltrate corporate networks, remain undetected and steal intellectual property and other sensitive information. The attackers are easily slipping past antimalware and antispam filters using spearphishing tactics and malware.
Security experts say the techniques the attackers are using aren't necessarily new and sophisticated, but they are successful because organizations are not focused on monitoring the network for anomalies that signal trouble. IT organizations may be relying too heavily on outdated technologies, such as antivirus, said Josh Corman, a research director in the enterprise security practice at The 451 Group.
"We need to have more eyes and ears on the network to hunt for whispers and echoes, but we're so focused as an industry on antiquated controls and mandating them that we now fear the auditor more than the attacker," Corman said. "I'm very concerned that we've lost our focus on the adversary and are instead focused more on standardizing legacy controls."
Experts say attackers will continue to find zero-day vulnerabilities to exploit well after Microsoft issues its update on Thursday. The high value of intellectual property and other personal data has helped fund teams of malicious software developers who sift through code hunting for flaws to exploit. The latest attacks against Google, Adobe Systems Inc., as well as Yahoo Inc., Juniper Networks Inc., Symantec Corp. and others, show that advance teams scout out potential targets and reap as much information as possible on a victim before using social engineering tactics to carry out an attack.
In many cases, an attack goes unnoticed and the cybercriminals sit on a target for days and even weeks to ensure their presence remains undetected, said Wolfgang Kandek, chief technical officer and vice president of engineering at vulnerability management vendor Qualys Inc. Kandek said that the attacks could have been carried out against any browser or application.
"It is very difficult to escape a targeted attack by somebody who has significant funds to instrument that attack," Kandek said. "You have somebody determined to gain access to information and that somebody has significant resources to analyze what [the potential victim] is doing and try to find a flaw in that."