Establishing Digital Trust: Don't Sacrifice Security for Convenience
Microsoft's security teams are scrambling in the light of a new 0 day attack against its Internet Explorer web browser that has already hitthe U.S. Department of Labor.
Microsoft issued an advisorylate Friday, warning of a critical flaw in IE 8 that could lead to a remote code execution attack. The flaw only impacts IE 8, according to Microsoft and does affect IE 6,7,9 or 10.
"In the latest watering hole attack against Department of Labor (DoL), our research indicates a new IE zero-day is used in this watering hole attack, although some other vendors claim they are using known vulnerabilities," Fireeye researcher, Yichong Lin wrote in a blog postlast week.
As it turns out, Lin and Fireeye were right and Microsoft credited the security firm with helping to alert them to the flaw.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated," Microsoft warns in its advisory. "The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer."
The way the attack works is in a so called watering hole scenario where a user visits a site and is then unknowingly redirected to download malware.
According to Symante's advisory on the issue, the new IE 8 0-day is similiar in nature to a vulnerabilty that Microsoft patched with the MS13-008 update in January of this year. That update was also a 0-day flaw that had also been identified by Fireeye as as a watering hole attack risk. The MS13-008 patchwas an out-of-band update and was not issued as part of the normal Patch Tuesday update cycle.
Microsoft's regularly scheduled Patch Tuesday update is next week, though it's not clear at this point if the new 0 day will be part of that update.
"On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs," Microsoft stated in its advisory.
In addition to the new 0-day, Microsoft has yet to patcha pair of flaws first reported during the Pwn2own hacking challenge in March of this year.
Mitigations against the new 0-day include upgrading to newer version of IE, including IE 9 or 10. Multiple IPS vendors have also released new rules to help detect the attack as well.
Tim Erlin, director of IT security and risk strategy for Tripwire, warned however that in regards to the Department of Labor attack, it's very difficult to defend against an unknown vulnerability exploited through a third party.
"The attackers clearly knew that this vulnerability existed in IE8, and that IE8 is the most widely used browser in general," Erlin said. " Did they also know that its the most widely used at the Department of Labor or was that just a lucky accident?"
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.