Use of Other Browsers Recommended Until Situation Remediated.
The Department of Homeland Security’s U.S. Computer Emergency Response Team is urging online users to avoid using Internet Explorer, versions 6 through 11, in light of a vulnerability that exposes the Web browser to a zero-day exploit involved in recent targeted attacks. DHS urges users and administrators to “consider employing an alternative Web browser until an official update is available.”
The exploit was first identified by security firm FireEye, which outlined the vulnerability in an April 26 blog post. The company says the exploit is significant because the vulnerable browsers “represent about a quarter of the total browser market.”
US-CERT, in an April 28 statement, says the vulnerability “could lead to the complete compromise of an affected system.”
In addition, Carnegie Mellon University’s CERT program says the vulnerability can allow for a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. “This vulnerability is being exploited in the wild,” Carnegie Mellon’s CERT says. “Although no Adobe Flash vulnerability appears to be at play here, the Internet Explorer vulnerability is used to corrupt Flash content in a way that allows ASLR to be bypassed via a memory address leak. This is made possible with Internet Explorer because Flash runs within the same process space as the browser. Note that exploitation without the use of Flash may be possible.”
Carnegie Mellon’s CERT says it’s unaware of a practical solution to this problem. But it recommends the use of the Microsoft Enhanced Mitigation Experience Toolkit to help prevent exploitation of this vulnerability.
The European Network and Information Security Agency issued an alert April 28, saying this exploit is a “serious zero-day attack on society … which demonstrates that there is no 100 percent security.”
ENISA recommends using another browser until the issue has been fixed. “One of the biggest problems with this vulnerability is that the Windows XP users will be exposed since no patch will be released for XP” (see: End of XP Support: Are Banks Really Ready?).
The Internet Explorer vulnerability is a “tremendous risk,” says Tom Kellermann, managing director for cyberprotection at Alvarez and Marsal, a business management firm. “It is akin to leaving your keys in the ignition in a bad neighborhood,” he says. “It is imperative that users move to other browsers until a patch has been released. Passwords should also be immediately changed and anti-virus programs run.”
In an April 26 post, Microsoft acknowledges it’s aware of “limited, targeted attacks that attempt to exploit a vulnerability” in Internet Explorer versions 6 through 11. “The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated.” the statement notes.
“The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”
Microsoft says once it’s completed its investigation, it will take appropriate action to protect its customers, “which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.”
A cyber-attacker could use the vulnerability to gain the same user rights as the current user, Microsoft says. “If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system,” the company says. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Security experts have warned of the challenges present once Microsoft discontinued support of the Windows XP operating system (see: What Happens When Windows XP Support Ends?).
The issue is critical to all sectors, said Richard Edwards, a principal analyst at the consultancy Ovum. He said there was justified concern that after April 8, when Microsoft stops supporting XP, organizations running the operating system could be targeted by hackers using unforeseen exploits. That’s because Microsoft will no longer be issuing updates and security patches to address XP vulnerabilities.
Pedro Bustamante of anti-malware firm Malwarebytes says vulnerabilities such as this will be an increasing threat for all Internet users. “The interim risk to people and businesses using IE 6 to 11, until MS pushes out a patch, is troubling,” he says. “But the more potentially severe issue is that anyone still using XP will be completely exposed as long as they continue to use the unsupported OS. For them there will never be a patch.”