New zero-day involves IE, puts Windows XP users at risk
Microsoft investigates unpatched flaw that affects users running IE7 and IE8
Computerworld - Microsoft on Sunday confirmed it's investigating an unpatched bug in VBScript that hackers could exploit to plant malware on Windows XP machines running Internet Explorer (IE).
The flaw could be used by attackers to inject malicious code onto victims' PCs, said Maurycy Prodeus, the Polish security analyst with iSEC Security Research who revealed the vulnerability and posted attack code on Friday.
Users running IE7 or the newer IE8 are at risk, said Prodeus.
Microsoft noted it's already on the case. "Microsoft is investigating new public claims of a vulnerability involving the use of VBScript and Windows Help files within Internet Explorer," said Jerry Bryant, a senior manager with the Microsoft Security Response Center (MSRC), in an e-mail Sunday. *The current state of our investigations shows that Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2, are not affected."
Bryant added that Microsoft has not yet seen any evidence of attacks exploiting the vulnerability.
Prodeus called the bug a "logic flaw," and said attackers could exploit it by feeding users malicious code disguised as a Windows help file -- such files have a ".hlp" extension -- then convincing them to press the F1 key when a pop-up appeared. He rated the vulnerability as "medium" because of the required user interaction.
"First an attacker needs to force a victim to visit a malicious Web page," Prodeus said in an e-mail Sunday. "The victim must be using Windows XP [and] Internet Explorer. A bit of social engineering is required to persuade the victim to push F1 button when [a] VBScript pop-up is displayed."
Another security researcher, Cesar Cerrudo, confirmed that Prodeus' proof-of-concept exploit works. "I tried the exploit and I can confirm it reliably works on IE8 with Windows XP fully patched," said Cerrudo, the head of Argeniss Information Security, an Argentinean security consultancy.
Cerrudo thought that the flaw was more serious than did Prodeus. "I would say the vulnerability is 'high severity,' not 'medium,'" said Cerrudo in an e-mail. "It's not critical since it needs user interaction, the user pressing F1 key when a message dialog is displayed. [But] I would say that there is a high probability a regular user will press F1 key if asked, since an attacker can annoy the user with hundred of messages telling the user to press F1 to continue."
According to Cerrudo, Prodeus' attack is successful because it abuses the VBScript "MsgBox()" function.
"Windows Help files are included in a long list of what we refer to as 'unsafe file types'," acknowledged Microsoft's Bryant in a follow-up on the MSRC blog later on Sunday. "These are file types that are designed to invoke automatic actions during normal use of the files. While they can be very valuable productivity tools, they can also be used by attackers to try and compromise a system."
Bryant didn't provide a timeline for a fix, but used Microsoft boilerplate in his e-mail to say that the company might address the vulnerability with a regularly-scheduled fix, a so-called "out-of-band" update or other guidance.
Microsoft's next scheduled security release date is March 9.
Although Microsoft has not yet recommended any defensive steps Windows XP users can take until a patch is available, Prodeus said blocking the outbound TCP port 445 would stymie attacks. "However, it is worth to note that blocking this port doesn't solve the problem, because there might be [an]other attacking vector, for example, uploading an arbitrary file to the victim's machine at known path location using some third-party browser plug-ins," he said.
Another workaround, said Cerrudo in a Friday tweet, is to ditch IE for another browser.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- Feds declare big win over Cryptolocker ransomware
- Hackers hit more businesses through remote access accounts
- P.F. Chang's post-breach move to manual processing is telling
- Microsoft withholds monster IE update from Windows 8.1 dawdlers
- In baffling move, TrueCrypt open-source crypto project shuts down
- 'Oleg Pliss' hack makes for a perfect teachable IT moment
- Give IE the heave-ho until Microsoft patches zero-day
- Hackers find first post-retirement Windows XP-related vulnerability
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
Read more about Security in Computerworld's Security Topic Center.
- The Pivotal Big Data Suite- Reducing the Risks of Big Data The explosion of big data and the rapid evolution of big data tools and technologies is challenging IT to meet the demands of...
- A Survival Guide for Data in the Wild All corporate data used to reside in the data center. Safe and sound behind the corporate firewall. But now, employees have multiple devices...
- Transforming Security: Designing a State-of-the-Art Extended Team The information security mission is no longer about implementing and operating controls.
- The Big Data Security Analytics Era Is Here New security risks and old security challenges often overwhelm legacy security controls and analytical tools.
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!