Microsoft acknowledges Internet Explorer zero-day attacks

By Robert Westervelt, News Editor 11 Dec 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft issued an advisory late Wednesday warning customers of new attacks against a zero-day vulnerability in Internet Explorer.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Chinese security researchers may have mistakenly released the code to exploit the flaw. Verisign's iDefense released an advisory explaining that the Chinese Knownsec security team admitted the mistake.The software giant said in its advisory that the attacks are against Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1 and Windows Server 2008. The vulnerability could be exploited by an attacker to gain the same user rights as the local user.

Microsoft has recommended steps to limit the risk until a patch is made available. Using protected mode in IE 7 limits the threat. The browser should also be running in Enhanced Security Mode, Microsoft said.

Related Microsoft news: Unpatched Internet Explorer 7 flaw under attack (Security Bytes blog) A new exploit for IE 7 is being used against fully patched Windows XP and Windows 2003 systems. Microsoft fixes critical flaws in Office, IE Dangerous flaws could allow an attacker to access sensitive files and gain complete control of a computer. More than two dozen flaws were patched.  Inside MSRC: Microsoft issues guidance on critical flaws Microsoft's Bill Sisk describes the latest bulletins and explains why new threat families were added to the Malicious Software Removal tool.

Bill Sisk, the response communication manager for the Microsoft Security Response Center (MSRC), did not rule out an out-of-cycle patch to correct the flaw, he wrote in the MSRC blog.

"Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers," Sisk said. "This may include providing a security update through our monthly release or out-of-cycle, if necessary."

Researchers said the attack attempts to exploit a vulnerability in the way IE processes XML.

"The vulnerability is caused by a function that incorrectly frees a certain region of heap memory so that an attacker is able to control the EAX register with a specially crafted Unicode URL, which includes the magic "0x0A0A" value in it," Elia Florio, a security researcher at Symantec, wrote in a Symantec blog entry.

Florio said Symantec traced the attacks back to "Chinese domains and websites, which are used by the exploit to install and download additional malicious code components."

Symantec released both antivirus and IPS signatures to protect against the exploit.

Wolfgang Kandek, chief technology officer of patch management vendor Qualys Inc., said the browser is by far the biggest attack vector. Both Mozilla and Opera are moving ahead by implementing automatic patching to protect customers, he said. Microsoft continues to patch from the OS level.

"It is more reliable for an attacker to exploit a server vulnerability (after all, there is no human intervention required), but today the Web browser is the "killer application" that everybody uses," Kandek said. "Patching for browsers should be immediate and continuous and be removed from the OS level and included in the browser itself."

The IE 7 flaw is the second zero-day acknowledged by Microsoft this week. The software giant issued an advisory Tuesday warning customers of vulnerability in the Wordpad Converter for Word 97 files affecting Windows 2000 SP4, Windows XP SP2 and Windows Server 2003 SP1 and SP2. In order to exploit the flaw, an attacker must trick a user into opening an attachment that is sent in an email. A successful attack could give the attacker the same user rights as the local user.

Tags: Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Browser Security Microsoft warns that IE zero-day vulnerability causes data leakage Browser exploit kit probe highlights need for patching, vigilance Google to pay for Chrome browser vulnerabilities Attackers continue barrage of SEO attacks Microsoft emergency IE update to block latest corporate attacks Facebook, McAfee partner to fix social network security issues Firefox, Opera, Safari browsers top list of high risk software Mozilla fixes Firefox critical memory corruption errors FBI estimates rogue antivirus losses exceeding $150 million Adobe updates Flash Player, fixes seven serious vulnerabilities Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary browser hijacker  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) honey monkey  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) NCSA  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary