Hackers exploit critical IE bug; Microsoft promises patch
IE6 through IE11 harbor vulnerability, but in-the-wild attacks limited to IE8 and IE9
Computerworld - Microsoft today said that hackers are exploiting a critical, but unpatched, vulnerability in Internet Explorer 8 (IE8) and Internet Explorer 9 (IE9), and that its engineers are working on an update to plug the hole.
As it often does, the company downplayed the threat.
"There are only reports of a limited number of targeted attacks specifically directed at Internet Explorer 8 and 9, although the issue could potentially affect all supported versions," Dustin Childs, a manager in the Trustworthy Computing group and its usual spokesman, said in a blog post Tuesday morning.
"We are actively working to develop a security update to address this issue," Childs added.
According to Childs and the security advisory Microsoft also published today, the vulnerability affects all supported versions of IE, from the 12-year-old IE6 to the not-yet-officially-released IE11, the browser that will accompany Windows 8.1 when it ships Oct. 18.
"There is no escaping this one," said Andrew Storms, director of DevOps at cloud security vendor CloudPassage, referring to the bug affecting all versions of Microsoft's browser. "IE zero-days are never a good thing, especially when they affect every version," Storms added.
Although Microsoft's advisory did not put it in these terms, the vulnerability can be exploited using classic "drive-by" attack tactics. That means hackers need only lure victims running IE to malicious sites -- or legitimate websites that have previously been compromised and loaded with attack code -- to hijack their browser and plant malware on their Windows PCs.
Until Microsoft produces a patch, the company offered customers several options to protect themselves, including advice on configuring EMET 4.0 and running one of its "Fixit" automated tools to "shim" the DLL that contains the IE rendering engine.
EMET (Enhanced Mitigation Experience Toolkit) is a tool designed for advanced users, primarily enterprise IT professionals, that manually enables anti-exploit technologies such as ASLR (address space layout randomization) and DEP (data execution prevention) for specific applications.
But the Fixit route will be easiest for individual users: Microsoft's posted a link to the Fixit tool on its support site, and customers need only click the icon marked "Enable." Microsoft has used the shim approach before when faced with unexpected attacks against IE.
Based on past practice, Microsoft's Fixit workaround probably uses the Application Compatibility Toolkit to modify the core library of IE -- a DLL (dynamic link library) named "Mshtml.dll" that contains the browser's rendering engine -- in memory each time IE runs. The shim does not quash the bug, but instead makes the browser immune to the attacks Microsoft's seen in the wild thus far.
Users can also temporarily ditch IE for an alternate browser, such as Google's Chrome or Mozilla's Firefox, to stay safe until Microsoft comes up with a permanent fix.
Microsoft today declined to say when it plans to patch the IE vulnerability. But because the next regularly-scheduled Patch Tuesday is three weeks away, it's possible the Redmond, Wash. company's security team will deliver a so-called "out-of-band" update before Oct. 9.
Out-of-band updates from Microsoft are rare: The last one it shipped was MS13-008, an emergency patch issued Jan. 14 that plugged a hole in IE6, IE7 and IE8 that had been exploited since early December 2012.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
Read more about Endpoint Security in Computerworld's Endpoint Security Topic Center.
- SANS: Next-Generation Datacenters = Next-Generation Security This whitepaper takes a look at some new technology that may allow security teams to implement more flexible and capable protection models in...
- SANS: Protecting Virtual Endpoints with McAfee Server Security Suite Essentials SANS review of McAfees Server Security Suite Essentials that address some of the emerging challenges of securing virtual platforms and cloud environments.
- Mitigating Multiple DDoS Attack Vectors It's time to rethink and refine the enterprise security architecture, so organizations can remain agile and resilient against future threats. Download this infographic...
- EndPoint Interactive eGuide In this eGuide, Network World, Computerworld, and CIO examine two endpoint trends - BYOD and collaboration - and offer tips and advice on...
- Live Webcast 5 Steps to Assuring Quality of Experience In order to align monitoring and management practices with the true demands of the business, IT professionals must expand beyond traditional comfort zones...
- Live Webcast Master the Changing SAP Landscape with Performance Management SAP landscapes are not getting simpler. Gradually, business processes that used to be contained on a single SAP system now involve a range...
- Accelerate your innovation with IBM Bluemix™ Join us for a webcast introducing the new IBM BluemixTM. IBM Bluemix (www.bluemix.net) is a developer oriented Platform as a Service (PaaS) environment...
- Maximizing Availability for the Modern Data Center Check out this information-packed resource center for help in maximizing the availability of your data center - from overcoming challenges to choosing the... All Endpoint Security White Papers | Webcasts