Microsoft advisory: Internet Explorer zero day affects most Windows versions

Responding to reports of attacks on a previously unknown hole in some versions of its Internet Explorer web browser, Microsoft pushed out a security advisory on Monday that revealed the vulnerability affects most supported versions of Internet Explorer and Windows.

The company urged users of Internet Explorer 9 and earlier to take steps to protect their computers from public attacks on the newly discovered security hole.

Microsoft released Security Advisory 2757760 late on Monday in response to reports of public attacks on Windows systems running the Internet Explorer web browser.

The release follows warnings from a security researcher on Sunday that a cybercriminal group linked to web-based attacks was using the previously unknown (or “zero day”) hole in Internet Explorer to infect vulnerable Windows XP systems with a variant of the Poison Ivy Trojan horse program.

(Sophos products detect malware using the Internet Explorer exploit as Troj/SWFDL-G, Troj/SWFDL-H and Troj/SWFDL-I.)

Eric Romang, a Luxembourg-based IT security advisor at ZATAZ.com, wrote over the weekend that he discovered the exploit when analyzing a batch of files hosted on one of the servers used to host attacks that exploited the Java vulnerability.

After running one of the sample files on a fully patched Windows XP SP3 system with an up-to-date version of Adobe Flash, Romang was surprised to find that the files loaded malicious software to his fully patched XP system.

In its advisory, Microsoft acknowledged Romang’s discovery of a remote code execution vulnerability that exists in an Internet Explorer function for accessing an object that has been deleted or improperly allocated.

That vulnerability can corrupt a system’s memory in a way that attackers could use to run their own code with the permissions of the current user on Internet Explorer. The vulnerability can be remotely exploited using a web page designed to target the hole, the company said.

The Microsoft advisory also makes clear that the vulnerability affects a far bigger swath of the company’s installed base than Romang’s initial analysis suggests.

Internet Explorer versions 6, 7, 8 and 9 were found to be vulnerable running on fully patched installations of Windows XP, Windows Vista, Windows 7 and Windows Server 2003 and 2008, Microsoft revealed. Only some versions of Windows Server 2008 for 32- and 64-bit systems and the yet-to-be released Windows 8 and Windows Server 2012 were not affected.

Microsoft said it continues to investigate the problem and will address the issue with a security patch, or possibly even an out-of-cycle update. The company is also working with anti-malware vendors in its MAPP (Microsoft Active Protections Program) to provide protections to customers using third party security software.

The company said that customers who were worried about being attacked could try temporary workarounds to protect themselves. One suggestion was to install the Enhanced Mitigation Experience Toolkit, a free utility that can prevent compromise using Microsoft’s Data Execution Prevention technology.

The company also encouraged users to set the Internet and Local intranet security zone settings in Internet Explorer to “High”, which will block ActiveX Controls and Active Scripting on untrusted web sites.

If Microsoft’s temporary workaround doesn’t appeal to you, your only sensible option is to change your browser. If you need a suggestion as to which one to use, why not check out the recent discussion from our readers regarding which browser they recommend.

_{Computer bug image, courtesy of Shutterstock}