Zero day vulnerability in Internet Explorer being used in targeted attacks, FixIt now available

Microsoft releases fix for Internet Explorer security hole, full patch coming Friday

Microsoft releases fix for Internet Explorer security hole, full patch coming FridayInternet Explorer users beware, there is a new zero day (previously unknown, unpatched vulnerability) attack targeting your browser.

Microsoft has issued an advisory about the flaw and it is being referred to as CVE-2012-4792. Microsoft has also made a temporary FixIt available until it can deliver a formal patch.

The flaw affects users of Internet Explorer 6, 7 and 8, but not 9 or 10 and allows for remote code execution with the privileges of the logged in user.

Another poignant reminder that running your computer as a non-administrative user pays off when new flaws are uncovered.

Non-privileged users will severely limit the damage that can be done using a vulnerability like this one.

The vulnerability was initially discovered by FireEye on the Council on Foreign Relations website on December 27th, 2012.

SophosLabs has records showing the Council’s website infected as far back as December 7th.

We have seen the exploit used on at least five additional websites suggesting the attack is more widespread than originally thought.

The attack appears to be closely related to attacks we reported on last June that were targeting visitors to a major hotel chain.

While the vulnerability being exploited is entirely different, the payload is nearly identical to the hotel attack and others we have associated with the Elderwood Project.

shutterstock-Wateringhole200While the attacks appeared to be targeted to a small number of sites, there is no obvious link between the victims.

Some are referring to this as a “watering hole” attack, but the evidence we have doesn’t necessarily support that conclusion.

If you use Internet Explorer, be sure you are using at least version 9 to avoid being a victim of these attacks. If you can’t upgrade, consider using an alternative browser until an official fix is available.

Microsoft’s FixIt is intended as a temporary workaround that could also be considered, but until an official fix is available I recommend avoiding IE 8 and lower.

If further information becomes available, we will publish the latest here on Naked Security.

Sophos Anti-Virus on all platforms blocks this malware as follows:

Exp/20124792-B: Misc. files specifically associated with this attack
Sus/Yoldep-A: Encoded payload also seen in other Elderwood Project attacks
Troj/SWFExp-BF: Adobe Flash component
Sus/DeplyJv-A: JavaScript components evolved from earlier Elderwood Project attacks

Update: Microsoft recommends using its EMET tool for the best mitigation against this threat until an official patch is available. You can find more details in the MS Advisory.

Update 2: There are reports that researchers have been able to exploit this vulnerability even with EMET and the FixIt in place. While it may be possible, we have yet to see any in the wild attacks using these techniques.

Watering hole photo courtesy of Shutterstock.