Microsoft IE 8 Hit by Zero Day Flaw


Microsoft's security teams are scrambling in the light of a new zero day attack against its Internet Explorer Web browser that has already hit the U.S. Department of Labor.

Microsoft issued an advisory late Friday, warning of a critical flaw in IE 8 that could lead to a remote code execution attack. The flaw only impacts IE 8, according to Microsoft and does not affect IE 6, 7, 9 or 10.

"In the latest watering hole attack against Department of Labor (DoL), our research indicates a new IE zero-day is used in this watering hole attack, although some other vendors claim they are using known vulnerabilities," Fireeye researcher Yichong Lin wrote in a blog post last week.

As it turns out, Lin and Fireeye were right. Microsoft credited the security firm with helping to alert them to the flaw.

"The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated," Microsoft warns in its advisory. "The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer."

Watering Hole Attack

The attack involves a so-called watering hole scenario in which a user visits a site and is then unknowingly redirected to download malware.

According to Symante's advisory on the issue, the new IE 8 zero day is similar in nature to a vulnerability that Microsoft patched with the MS13-008 update in January of this year. That update was also a zero-day flaw that was identified by Fireeye as a watering hole attack risk. The MS13-008 patch was an out-of-band update and was not issued as part of the normal Patch Tuesday update cycle.

Microsoft's regularly scheduled Patch Tuesday update is next week, though it's not clear at this point if the new zero day will be part of that update.

"On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs," Microsoft stated in its advisory.

In addition to the new zero day, Microsoft has yet to patcha pair of flaws first reported during the Pwn2own hacking challenge in March of this year.

Mitigations against the new zero day include upgrading to newer versions of IE, including IE 9 or 10. Multiple IPS vendors have also released new rules to help detect the attack.

Tim Erlin, director of IT security and risk strategy for Tripwire, warned that in regard to the Department of Labor attack, however, it's very difficult to defend against an unknown vulnerability exploited through a third party.

"The attackers clearly knew that this vulnerability existed in IE8, and that IE8 is the most widely used browser in general," Erlin said. "Did they also know that it’s the most widely used at the Department of Labor or was that just a ‘lucky’ accident?"

Sean Michael Kerner is a senior editor at eSecurity Planet and Follow him on Twitter @TechJournalist.