Microsoft Warns of New IE 0-Day

Microsoft has warned customers running Internet Explorer that details on a new zero-day vulnerability have been made available in the wild. The company emphasized that it had not detected any attacks or exploits targeting the newly discovered security hole, and that it is hard at work on producing a patch. The company made available Security Advisory (980088) detailing the issue for customers. The security advisory is also designed to allow customers to take the necessary measures in order to protect themselves against potential exploits before a security update will be offered by the software giant.

According to Jerry Bryant, senior security communications manager – lead, Microsoft, the highest level of risk is faced by customers running Internet Explorer on top of Windows XP or those that turned off Protect Mode for the browser. However, even in the eventuality of a successful exploit, an attacker could not execute arbitrary code remotely, or take over the users’ computers. Bryant revealed that, at best, an attack taking advantage of the security vulnerability could lead to Information Disclosure.

“It is important to note that customers running Internet Explorer 7 or Internet Explorer 8 in their default configuration on Windows Vista or later operating systems are not vulnerable to this issue as they benefit from Internet Explorer Protected Mode which protects from this issue,” Bryant said.

Protect Mode is an added security mitigation introduced in Windows Vista, and which was perfected in Windows 7, designed to function in concert with User Account Control. IE7 and IE8 running in Protect Mode have less privileges than Notepad for example, a situation which inherently protects end users from this attack.

“Our investigation so far has shown that if a user is using a version of Internet Explorer that is not running in Protected Mode an attacker may be able to access files with an already known filename and location. These versions include Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service 4; Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4; and Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows Server 2003 Service Pack 2. Protected Mode prevents exploitation of this vulnerability and is running by default for versions of Internet Explorer on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008. The vulnerability exists due to content being forced to render incorrectly from local files in such a way that information can be exposed to malicious websites,” Microsoft stated.

IE users can take advantage of the workarounds detailed by the Redmond company in Microsoft Security Advisory (980088) in order to bulletproof their systems against attacks. Those running IE7 or IE8 on Windows Vista and respectively IE8 on Windows 7 are advised to turn on UAC and Protect Mode. Users of Windows XP can protect themselves by implementing Network Protocol Lockdown. Fortunately enough, Microsoft has an automated “Fix It” solution for enabling Network Protocol Lockdown.