Microsoft Issues Temporary Patch For IE Zero-Day Threat; Permanent Patch Scheduled For Friday
The memory corruption vulnerability, which was acknowledged on Monday by Microsoft, impacts versions 7, 8 and 9 of Internet Explorer, although version 10, the most recent rev, appears to be unaffected at this point.
Versions nine through six "probably represents about 90% of the IE market, if not more," said Andrew Storms, director of security operations for nCircle. "IE 10 does not seem to be vulnerable to this. We're not sure why, but I suspect it's a case where it was already found and fixed."
[Related: Internet Explorer Zero-Day Threat Linked To Java ]
Although the Microsoft statement indicated that the vulnerability does not impact the majority of its customers, the attack has been integrated into Metasploit and other white hat tools that are frequently used by black hat hackers, thereby making the exploit available to a far wider range of criminals.
According to Marc Maiffret, CTO at BeyondTrust, the attack currently being executed into the wild begins with a malicious website that determines which version of IE the host system is running. It then loads additional software to perform a heap spray and load an iframe. Protect.html is then loaded to trigger the vulnerability, at which point Poison Ivy is downloaded. A successful exploit leads to the ability to execute remote code.
"You essentially need to get a bunch of your attacker-supplied code loaded into memory on Internet Explorer," explained Maiffret. "You can do that through leveraging something like Flash, or in the case of the Metasploit attack, they're using Java. So it's interesting to note that if you don't have Java, you're not vulnerable to this as a Metasploit attack."
It is generally believed that the vulnerability is exploitable through means other than Java, however many security experts have recommended disabling Java as a means of strengthening their security posture.
PUBLISHED SEPT. 19, 2012