Microsoft has confirmed that a newly discovered Internet Explorer zero-day vulnerability is being actively exploited in the wild. Versions 9 through 11 of the vendor's Web browser are currently under attack, though older versions found on Windows XP machines could also be vulnerable to future attacks.
Researchers from advanced threat-detection vendor FireEye Inc. uncovered the IE zero-day, CVE-2014-1776, being used as part of an ongoing attack campaign, dubbed "Operation Clandestine Fox." Microsoft confirmed the discovery in Security Advisory 2963983, which explains that the use-after-free memory vulnerability is remotely exploitable and, if successfully exploited, could enable an attacker to gain the same administrative rights over a machine as the current user.
FireEye's researchers provided more details about the attack campaign in a blog post, though they did not divulge the identity of the group suspected to be behind the campaign.
"The APT group responsible for this exploit has been the first group to have access to a select number of browser-based zero-day exploits [e.g., IE, Firefox and Flash] in the past," said FireEye's researchers. "They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure."
In an advisory posted Monday, the United States Computer Emergency Readiness Team (US-CERT) recommended that Internet Explorer users enable the Microsoft Enhanced Mitigation Experience Toolkit (EMET) when possible and consider employing an alternative web browser until an official update is available.
Though as of Monday morning Microsoft has yet to provide the usual "fix it" tool to temporarily mitigate the IE zero-day, there are several defense measures that can be implemented. Microsoft said that IE 10 and 11 users running the default Enhanced Protected Mode are currently protected from the vulnerability, as well as users currently running versions 4.1 and 5.0 of the company's EMET, a free security tool that Microsoft often touts when zero days are uncovered.
Also, FireEye reports attackers are using an exploit that relies on a user loading a malicious Adobe Flash object, which means that modern security protection built into new versions of Windows, including address space layout randomization and data execution prevention, can be bypassed by attackers. Users can effectively mitigate such attacks by disabling the Flash plug-in within IE.
While FireEye confirmed that only IE versions 9 through 11 are currently being targeted by attackers, it also warned that the vulnerability can be found in versions 6 through 8, the latter of which is the last version to be supported on the Windows XP platform. Microsoft ended support for XP earlier this month, leaving users of both the aged operating system and outdated versions of IE in the lurch.
For those XP users that have the ability to switch, Google's Chrome and Mozilla's Firefox browsers are expected to receive support for the foreseeable future. Otherwise, Qualys chief technology officer Wolfgang Kandek said XP users should consider following one of Microsoft's suggested workarounds and disable the VGX dynamic link library, which is responsible for rendering the Vector Markup Language (VML) code on websites.
"VML is only infrequently used on the web, so disabling it in IE is the best way to prevent exploitation," said Kandek in a blog post. "This happened a bit quicker than I expected but it is a sign of things to come. … Attackers will soon adapt the exploit to work against these older versions of IE as well."