“We will release a fix it in the next few days to address an issue in Internet Explorer, as outlined in the Security Advisory 2757760 that we released yesterday,” Microsoft said Tuesday evening in its security blog.
“While we have only seen a few attempts to exploit the issue, impacting an extremely limited number of people, we are taking this proactive step to help ensure Internet Explorer customers are protected and able to safely browse online,” it added.
Redmond’s fix is a one-click solution is for any Internet Explorer user, which will not affect user ability to browse the web. “It will provide full protection against this issue until an update is available.”
While it works on a patch, Microsoft has published a security advisory recommending that customers also use the Enhanced Mitigation Experience Toolkit (EMET) to implement roadblocks to prevent the zero-day exploit from working. Also, it said that customers should set the Internet and local intranet security zone in Internet Explorer to “high” to block ActiveX controls and Active Scripting from running, or configure it to prompt before executing. This will affect business application performance but will keep the environment safe.
First noticed by Eric Romang, the new vulnerability affects IE 9 and earlier on the Windows XP operating system, and is already deployed in the wild, thanks to the fact that Metasploit has already created a working module. It relies on the presence of Java, so disabling Java plug-ins is a great first step to protection.
Meanwhile, security researchers have been quick to analyze the issue. According to Alien Vault lab researcher Jaime Blasco, the Command &Control (C&C) server is apparently out of the UK, carrying the 12.163.32.15 IP address – a domain used in previous attacks, he said.
Here’s how it works: A file called exploit.html creates the initial vector to exploit the vulnerability and load a Flash file called Moh2010.swf, which is encrypted using DoSWF. Moh2010.swf performs the heap spray and loads Protect.html, which checks if the system is running a vulnerable version of IE. If so, the vulnerability is triggered and the payload, Poison Ivy, is dropped.
“We have received reports of only a small number of targeted attacks and are working to develop a security update to address this issue,” Yunsun Wee, director of Microsoft’s trustworthy computing group said in the advisory. “We are monitoring the threat landscape very closely and if the situation changes, we will post updates here on the MSRC blog and on Twitter at @MSFTSecResponse.”
Not everyone is playing it down, however. “The new Internet Explorer vulnerability is a major concern for millions of users," said Carl Leonard, senior security research manager EMEA at IT security firm Websense. "Significantly, cyber criminals will look to exploit this vulnerability and the trusting nature of end-users to propagate targeted attacks putting both corporate and personal data at risk."
He added, "The vulnerability allows attackers to execute code on a machine by just having a user visit a malicious website which can happen by simply tricking the user to click on a link in an email or via compromised legitimate websites. While zero-day vulnerabilities are rare, businesses need real-time inline security to battle these new threats as and when they appear."