New zero-day vulnerability in Internet Explorer being actively exploited
September 17, 2012
(Updated Sept 19, 2012, to include IE 6, plus tightening the security level of IE browsers)
The security channels are buzzing today with news about a brand new "zero-day" vulnerability in Internet Explorer browsers 6, 7, 8 and 9, which is actively being exploited to load the Poison Ivy Trojan onto victimized computers.
Details are still emerging about the exact method through which Internet Explorer is being exploited. However, one common factor is that the current exploit requires Adobe Flash to also be installed. The term "Heap Spray" is being used to describe the code injection action which leads to the downloading of a Shockwave Flash file by loading an invisible iframe into the browser. The Flash file it downloads then downloads and executes a file which installs the Poison Ivy Trojan.
NEW
A successful exploit of Windows Vista or Windows 7 also requires a vulnerable version of Java to be installed.
All of this happens behind the scenes and runs with the full privileges of the logged in user. This means that if you are lured to this trap and are operating with Administrator privileges and are browsing with Internet Explorer 6 through 9, your fully patched Windows PC may have the Poison Ivy, or some other Trojan silently installed right in front of you.
People who log in to less privileged account types will have to approve the malware installation and provide Admin credentials. While they might be tricked by crafty language, it is less likely that most of them will be fooled. FWIIW, I operate as a Power User (Win XP) and Standard User in Windows 7. Both are less privileged accounts.
A zero-day exploit gives the maker of the exploited software no head-start time to develop a patch. This gives the malware creators more time to infect millions of PCs while the software maker tries to reverse engineer the threat and develop a patch. Microsoft is certainly working on a patch for this vulnerability as I type this (using Firefox).
NEW
Microsoft has published Security Advisory 2757760 about this vulnerability and their plans to deal with it. In a blog post, Microsoft has just promised to release a temporary "FixIt Tool," until an official patch is tested and released via Windows Update Services. That tool should appear soon on the above linked page.
Watch for an out-of-band critical patch from Windows Update Services, any time in the next few days or weeks. Make sure you have Automatic Windows Updates turned on, with the recommended settings, and set the time to check for updates to a time when your PC is normally turned on.
There is an advanced and difficult to understand security tool (EMET) available from Microsoft, which may or may not mitigate this threat, if you can figure out how to use it. But, I recommend that you browse with an alternate browser until a patch is released and you have installed it. Good options are Mozilla Firefox and Google Chrome.
People at risk are using Windows XP, Vista and 7, browsing with Internet Explorer versions 6, 7, 8 and 9. Internet Explorer 10 is NOT vulnerable (Windows 8). Nonetheless, using a different browser for a while seems like a prudent thing to do. Both Firefox and Chrome will offer to import your cookies and bookmarks (Favorites) from Internet Explorer, making your transition easier. I did this several years ago and have been using Firefox browsers exclusively ever since. They get updated almost every month or so.
NEW INFO:
If you must browse with Internet Explorer, set the Security slider to the highest, most restrictive position. This disables ActiveX support and most of what MS calls "active scripting."
I have been reading security blogs and following Tweets from security companies, concerning this new zero-day vulnerability. Most are writing or have written definitions to detect the exploit payload. Trend Micro goes one step farther and blocks access to the servers hosting the malware files. If you use any current version of Trend Micro Internet Security products, you are protected by the Trend Smart Protection Network.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.