New zero-day involves IE, puts Windows XP users at risk
Microsoft investigates unpatched flaw that affects users running IE7 and IE8
Computerworld - Microsoft on Sunday confirmed it's investigating an unpatched bug in VBScript that hackers could exploit to plant malware on Windows XP machines running Internet Explorer (IE).
The flaw could be used by attackers to inject malicious code onto victims' PCs, said Maurycy Prodeus, the Polish security analyst with iSEC Security Research who revealed the vulnerability and posted attack code on Friday.
Users running IE7 or the newer IE8 are at risk, said Prodeus.
Microsoft noted it's already on the case. "Microsoft is investigating new public claims of a vulnerability involving the use of VBScript and Windows Help files within Internet Explorer," said Jerry Bryant, a senior manager with the Microsoft Security Response Center (MSRC), in an e-mail Sunday. *The current state of our investigations shows that Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2, are not affected."
Bryant added that Microsoft has not yet seen any evidence of attacks exploiting the vulnerability.
Prodeus called the bug a "logic flaw," and said attackers could exploit it by feeding users malicious code disguised as a Windows help file -- such files have a ".hlp" extension -- then convincing them to press the F1 key when a pop-up appeared. He rated the vulnerability as "medium" because of the required user interaction.
"First an attacker needs to force a victim to visit a malicious Web page," Prodeus said in an e-mail Sunday. "The victim must be using Windows XP [and] Internet Explorer. A bit of social engineering is required to persuade the victim to push F1 button when [a] VBScript pop-up is displayed."
Another security researcher, Cesar Cerrudo, confirmed that Prodeus' proof-of-concept exploit works. "I tried the exploit and I can confirm it reliably works on IE8 with Windows XP fully patched," said Cerrudo, the head of Argeniss Information Security, an Argentinean security consultancy.
Cerrudo thought that the flaw was more serious than did Prodeus. "I would say the vulnerability is 'high severity,' not 'medium,'" said Cerrudo in an e-mail. "It's not critical since it needs user interaction, the user pressing F1 key when a message dialog is displayed. [But] I would say that there is a high probability a regular user will press F1 key if asked, since an attacker can annoy the user with hundred of messages telling the user to press F1 to continue."
According to Cerrudo, Prodeus' attack is successful because it abuses the VBScript "MsgBox()" function.
"Windows Help files are included in a long list of what we refer to as 'unsafe file types'," acknowledged Microsoft's Bryant in a follow-up on the MSRC blog later on Sunday. "These are file types that are designed to invoke automatic actions during normal use of the files. While they can be very valuable productivity tools, they can also be used by attackers to try and compromise a system."
Bryant didn't provide a timeline for a fix, but used Microsoft boilerplate in his e-mail to say that the company might address the vulnerability with a regularly-scheduled fix, a so-called "out-of-band" update or other guidance.
Microsoft's next scheduled security release date is March 9.
Although Microsoft has not yet recommended any defensive steps Windows XP users can take until a patch is available, Prodeus said blocking the outbound TCP port 445 would stymie attacks. "However, it is worth to note that blocking this port doesn't solve the problem, because there might be [an]other attacking vector, for example, uploading an arbitrary file to the victim's machine at known path location using some third-party browser plug-ins," he said.
Another workaround, said Cerrudo in a Friday tweet, is to ditch IE for another browser.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- Russian credential theft shows why the password is dead
- Cybersecurity should be professionalized
- Feds declare big win over Cryptolocker ransomware
- Hackers hit more businesses through remote access accounts
- P.F. Chang's post-breach move to manual processing is telling
- Microsoft withholds monster IE update from Windows 8.1 dawdlers
- In baffling move, TrueCrypt open-source crypto project shuts down
- 'Oleg Pliss' hack makes for a perfect teachable IT moment
- Give IE the heave-ho until Microsoft patches zero-day
- Hackers find first post-retirement Windows XP-related vulnerability
Read more about Security in Computerworld's Security Topic Center.
- Securing Mobile App Data - Comparing Containers and App Wrappers Analysts agree that Mobile Device Management (MDM) is not enough when it comes to securing app data. Although it remains a critical component...
- PCI 3.0 Compliance In this white paper, learn how PCI-DSS 3.0 effects how you deploy and maintain PCI compliant networks using CradlePoint devices.
- Mitigating Security Risks at the Networks Edge This white paper provides strategies and best practices for distributed enterprises to protect their networks against vulnerabilities, threats, and malicious attacks.
- 5 Strategies for Modern Data Protection Read the five strategies for modern data protection that will not only help solve your current data management challenges but also ensure that...
- Business-driven data protection Setting up data protection infrastructures with your organizations' core mission or business in mind is key. In this webinar, the ARCserve team will...
- On-Demand Webinar: Mind the Gap! Watch the webinar featuring Bob Janssen, CTO and Co-Founder of RES Software, to start building a solid foundation for business and IT to... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!