Microsoft confirms hackers exploiting critical IE bug, promises patch
Suggests temporary defenses, but others urge users to switch to Chrome or Firefox
Computerworld - Microsoft on Monday issued a security advisory that confirmed in-the-wild attacks are exploiting an unpatched bug in Internet Explorer. The software maker is working on a fix.
The advisory addressed the "zero-day" vulnerability -- meaning it was discovered and exploited before a patch was available -- that was found and disclosed by researcher Eric Romang over the weekend. On Monday, the Metasploit open-source penetration framework published an exploit module for the bug, putting pressure on Microsoft to act quickly.
"We have received reports of only a small number of targeted attacks and are working to develop a security update to address this issue," said Yunsun Wee, director of Microsoft's Trustworthy Computing group, in a post to the Microsoft Security Response Center blog.
All but one supported edition of IE are affected: 2001's IE6, 2006's IE7, 2009's IE8 and last year's IE9. Together, those browsers accounted for 53% of all browsers used worldwide in August. The only exception was IE10, the browser bundled with the new Windows 8, which does not contain the bug.
Monday's advisory was expected, said Andrew Storms, director of security operations at nCircle Security. "I think they had to get it out today," said Storms late Monday in an interview over instant messaging. "Too many people watching and waiting for something official."
Earlier Monday, Microsoft acknowledged that it was investigating reports of a vulnerability but did not promise a patch.
The bug, when Microsoft gets around to patching it, will be rated "critical," the company's highest threat ranking. Exploiting the flaw allows hackers to execute code -- in other words, plant malware on a machine -- and opens Windows XP, Vista and Windows 7 to drive-by attacks that only require getting victims to visit a malicious or compromised website.
Until a patch is available, Microsoft recommended that users block attacks with EMET 3.0 (Enhanced Mitigation Experience Toolkit), boosting IE's security zone settings to "high," and configuring the browser to display a warning before executing scripts.
EMET is a tool designed for advanced users, primarily enterprise IT professionals, that manually enables anti-exploit technologies such as ASLR (address space layout randomization) and DEP (data execution prevention) for specific applications.
But not everyone agreed that EMET was the answer.
"[EMET] has its place, but I think most people would prefer the bug fix," said Storms. "EMET is one of those tools that takes time to deploy, [so] it's not a good idea to try and rush the deployment right now. It's kind of like a self-defeating process. Microsoft would like more people to use EMET, but given the few zero-days and relative quickness to patch things, the need for EMET seems to be reduced."
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Microsoft plans another short patch slate for next week, but finds a few XP bugs to crush
- Target attack shows danger of remotely accessible HVAC systems
- Target hackers try new ways to use stolen card data
- Update: Microsoft to patch just-revealed Windows zero-day tomorrow
- NSA spying prompts open TrueCrypt encryption software audit to go viral
- Microsoft warns of Office zero-day, active hacker exploits
- Hackers move to create next Blackhole after 'Paunch' arrest
- Adobe hack shows subscription software vendors lucrative targets
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts