Microsoft advisory: Internet Explorer zero day affects most Windows versions

Filed Under: Featured, Internet Explorer, Malware, Microsoft, Operating Systems, Vulnerability

Computer bug image, courest of ShutterstockResponding to reports of attacks on a previously unknown hole in some versions of its Internet Explorer web browser, Microsoft pushed out a security advisory on Monday that revealed the vulnerability affects most supported versions of Internet Explorer and Windows.

The company urged users of Internet Explorer 9 and earlier to take steps to protect their computers from public attacks on the newly discovered security hole.

Microsoft released Security Advisory 2757760 late on Monday in response to reports of public attacks on Windows systems running the Internet Explorer web browser.

The release follows warnings from a security researcher on Sunday that a cybercriminal group linked to web-based attacks was using the previously unknown (or "zero day") hole in Internet Explorer to infect vulnerable Windows XP systems with a variant of the Poison Ivy Trojan horse program.

(Sophos products detect malware using the Internet Explorer exploit as Troj/SWFDL-G, Troj/SWFDL-H and Troj/SWFDL-I.)

Eric Romang, a Luxembourg-based IT security advisor at ZATAZ.com, wrote over the weekend that he discovered the exploit when analyzing a batch of files hosted on one of the servers used to host attacks that exploited the Java vulnerability.

After running one of the sample files on a fully patched Windows XP SP3 system with an up-to-date version of Adobe Flash, Romang was surprised to find that the files loaded malicious software to his fully patched XP system.

In its advisory, Microsoft acknowledged Romang’s discovery of a remote code execution vulnerability that exists in an Internet Explorer function for accessing an object that has been deleted or improperly allocated.

That vulnerability can corrupt a system's memory in a way that attackers could use to run their own code with the permissions of the current user on Internet Explorer. The vulnerability can be remotely exploited using a web page designed to target the hole, the company said.

The Microsoft advisory also makes clear that the vulnerability affects a far bigger swath of the company's installed base than Romang's initial analysis suggests.

Internet ExplorerInternet Explorer versions 6, 7, 8 and 9 were found to be vulnerable running on fully patched installations of Windows XP, Windows Vista, Windows 7 and Windows Server 2003 and 2008, Microsoft revealed. Only some versions of Windows Server 2008 for 32- and 64-bit systems and the yet-to-be released Windows 8 and Windows Server 2012 were not affected.

Microsoft said it continues to investigate the problem and will address the issue with a security patch, or possibly even an out-of-cycle update. The company is also working with anti-malware vendors in its MAPP (Microsoft Active Protections Program) to provide protections to customers using third party security software.

The company said that customers who were worried about being attacked could try temporary workarounds to protect themselves. One suggestion was to install the Enhanced Mitigation Experience Toolkit, a free utility that can prevent compromise using Microsoft's Data Execution Prevention technology.

The company also encouraged users to set the Internet and Local intranet security zone settings in Internet Explorer to "High", which will block ActiveX Controls and Active Scripting on untrusted web sites.

If Microsoft's temporary workaround doesn't appeal to you, your only sensible option is to change your browser. If you need a suggestion as to which one to use, why not check out the recent discussion from our readers regarding which browser they recommend.

Computer bug image, courtesy of Shutterstock

, , , , , , , , , , , , , , , , , , ,

You might like

8 Responses to Microsoft advisory: Internet Explorer zero day affects most Windows versions

  1. alexanderrogge · 766 days ago

    I can't even install Microsoft Internet Explorer. My operating system says that the installer is not an executable file. I also don't use ActiveX Controls or whatever Active Scripting is. I'm surprised by how many corporations and government offices still rely on buggy, insecure, and frequently-targeted Microsoft software that was never intended to be used in a networked environment. Get rid of Microsoft, stop running as the root user, and most of your pesky security troubles will be over.

  2. James Fusion · 766 days ago

    Or you could use Sandboxie

  3. Simon · 766 days ago

    The BBC have reported MS as saying to use the Enhanced Mitigation Experience Toolkit as a temp stop gap, while they also explained that it needs to be user configured so isnt for everyone.

    If this can offer some protection, is this not worth reporting yourselves?

  4. Robert Wurzburg · 766 days ago

    Microsoft has released an updated Security Advisory regarding this vulnerability:
    http://technet.microsoft.com/security/advisory/27...

    This is listed as CVE-2012-4969

    You can also protect yourself from the Iframe vulnerability component of this attack
    by going to Internet Explorer/Properties/Security/Custom level/
    Launching programs and files in an IFRAME. Do this for all security zones.
    Set this to Disable, then OK, then Apply, then OK. Restart your computer.
    This setting should ALWAYS be Disable to protect from Iframe attacks. There is no
    real good reason to run Iframe files and programs for anything I'm aware of, and
    your browser will remain fully functional.

  5. ferdball · 765 days ago

    Why did Sophos retract the analysis for Troj/SWFDL-G?

    http://www.sophos.com/en-us/threat-center/threat-...

  6. ferdball · 765 days ago

    Why did Sophos retract the analysis for Troj/SWFDL-G?

  7. ferdball · 765 days ago

    Seriously? Who is censoring this? Chet?

    Where is my comment? I want a response from Sophos? I'm a Symantec customer, so I'd like to know that you're better at this.

    • Graham Cluley · 765 days ago

      Hi Ferdball - your comments aren't being censored.

      The detection got updated - we now detect the exploit itself - Exp/20124969-A.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul is a Boston-based reporter and industry analyst with more than a decade of experience covering the IT industry, cyber security and hacking. His work has appeared on threatpost.com, The Boston Globe, salon.com, NPR's Marketplace, Fortune Small Business, as well as industry publications including ZDNet, Computerworld, InfoWorld, eWeek, CIO , CSO and ITWorld.com. Paul got his 15 minutes as an expert guest on The Oprah Show - but that's a long story.