14 DAY TRIAL // The latest zero-day vulnerability affecting Internet Explorer provides yet another reason for customers running older releases of IE to upgrade to the most recent version. According to Microsoft, Internet Explorer 8 users are protected by default against exploits targeting a new vulnerability, but the same cannot be said for those running IE7 and IE6. In fact, the company has not only confirmed the new IE vulnerability, but also attacks in the wild targeting the 0-day flaw. In the eventuality of a successful exploit, an attacker could execute arbitrary code on an affected system, effectively taking over the machine.
“The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution,” the company explained.
The Redmond company is already working on a patch, but in the meanwhile it has released Security Advisory (981374), designed to offer information to customers on the vulnerability. It is critical to stress the fact that, in order to exploit the vulnerability, an attacker would have to first draw users with vulnerable systems to specially crafted, malformed websites. Most probably, attackers would need to turn to social engineering in order to convince unsuspecting users to navigate to malicious websites. Customers should always avoid clicking on links coming from untrusted sources, especially in unsolicited IM messages and emails.
“Internet Explorer 8 is not affected by this issue. Customers using Internet Explorer 6 or 7 should upgrade to Internet Explorer 8 immediately to benefit from the improved security features and defense in depth protections. Additionally, Internet Explorer 5.01 on Windows 2000 is not affected,” Jerry Bryant, senior security communications manager lead, Microsoft, explained. “At this time, we are aware of targeted attacks seeking to exploit this vulnerability against Internet Explorer 6. Internet Explorer Protected Mode in Internet Explorer 7 running on Windows Vista helps to mitigate the impact of this issue. Additionally, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.”
Security Advisory (981374) is an excellent resource, enabling customers to bulletproof their systems until Microsoft will make a patch available. Under the Suggesting Actions section, users will be able to find a list of workarounds that can be applied to secure systems against exploits. Microsoft notes that it has tested all the temporary solutions provided in the Security Advisory and that they are sufficient for blocking all known attack vectors.