Microsoft has issued an emergency patch today to address a dangerous Internet Explorer zero-day vulnerability that is being targeted by attackers against organizations in the United States and other regions. An update also will be provided to users of the company's newly retired Windows XP software, the company said.
The update was issued at 1 p.m. EST, said Microsoft spokesperson Dustin Childs in a message on the company's Security Response Center Blog. The critical update impacts all currently supported versions of Internet Explorer running on Windows, including Windows XP, he said.
"Windows XP is no longer supported by Microsoft, and we continue to encourage customers to migrate to a modern operating system, such as Windows 7 or 8.1," Childs said. "Additionally, customers are encouraged to upgrade to the latest version of Internet Explorer, IE 11."
The decision to issue a patch to Windows XP users is based on the proximity to the end of support for the operating system. Microsoft officially ended support April 8. Users of Windows XP are strongly encouraged to [go to] a more modern operating system, said Adrienne Hall, general manager of Trustworthy Computing at Microsoft, in a blog post explaining the decision. However, Hall called the threat "overblown."
"The reality is there have been a very small number of attacks based on this particular vulnerability and concerns were, frankly, overblown," Hall said. "Unfortunately, this is a sign of the times and this is not to say we don’t take these reports seriously. We absolutely do."
Microsoft issued an Internet Explorer security advisory on Sunday, warning users that zero-day vulnerabilities in its browser were being used in targeted attacks. A spokesperson at FireEye, the firm that detected the attacks, told CRN that it saw them initially being waged against U.S. organizations associated with defense and financial-sector firms. A spokesperson told CRN that the attacks expanded to government and energy-sector firms. They also appear to be coming from multiple criminal groups.
The attacks lure users into clicking a malicious link, which forwards victims to an attack website with the aim of gaining complete control of the victim's PC, FireEye said.
FireEye Technical Director Christopher Glyer told CRN on Wednesday that the attacks also were detected at organizations based in multiple regions of the world, including companies with headquarters in Europe and the U.S. The zero-day exploit is being used by a cybercriminal organization that is known for carrying out targeted attacks to gain access to intellectual property, Glyer said.
"To date, we have contained the breaches to the initial infection vector," Glyer told CRN, indicating that the attacks have not resulted in any data leakage. "We detected the attacker fast enough and implemented blocks prior to the attacker being able to move laterally."
Solution providers told CRN that the serious attack needed to be addressed quickly by Microsoft because workarounds designed to reduce the risk of an attack could be tedious for some firms. The attack doesn't work if Flash is removed from the browser, but the company also recommended implementing other restrictions, including the use of its Enhanced Mitigation Experience Toolkit.
The update was somewhat unexpected, said Peter Hesse, president and founder of Chantilly, Va.-based solution provider Gemini Security Solutions.
"The reason probably has more to do with the fact that it was not a lot of extra effort to include XP as one of the supported platforms, because there is probably a shared code base that existed across multiple platforms," Hesse told CRN. I would not expect this to be repeated frequently as Microsoft has made it very clear that they are not going to be investing in continued efforts for XP."
Attackers have long turned their sights on browser vulnerabilities and the complex mix of often vulnerable browser components, said Chris Camejo, director of consulting and professional services at Boston-based NTT Com Security.
"Flash, along with Java, Adobe¹s Reader software, and Internet Explorer itself are the most common client-side targets likely due to both their ubiquity and complexity," Camejo said. "More complexity equates to more likely vulnerabilities."
PUBLISHED MAY 1, 2014