Microsoft is urging users of Internet Explorer to download a free security tool, enhanced Mitigation Experience Toolkit (EMET), as an interim measure against a previously unknown zero-day exploit in its web browser software that is under active malware attack by hackers.
Eric Romang, a researcher in Luxemburg, discovered it on Friday after finding his computer infected by the Poison Ivy Trojan, used by hackers to gain remote access to their victims' computers to steal data. According to Romang, further analysis revealed it got onto his computer via a flaw in Internet Explorer.
Poison Ivy exploits a “use-after-free vulnerability” in IE that enables a hacker to create an image URL referencing uninitialized memory. This corrupts the memory and once completely executed gives the attacker remote access with the same permissions as the current user.
The vulnerability affects computers running all versions of Internet Explorer from IE6 to IE9, on every single OS release since Windows XP right through to Windows 7 and Server 2008. Interestingly though, Microsoft’s IE 10 running on Windows 8 and Server 2008 are not affected according to Microsoft’s Security Advisory.
“What may be most worrying is that Windows Vista and 7 don’t protect you,” said HD Moore, CSO of security firm Rapid 7, and the chief architect of the Metasploit tool kit, used widely by penetration testers and hackers. “This is one of the few times that a vulnerability has been successfully exploited across all the production shipping versions of the browser and OS. The surprising thing about this is the fact they (Metasploit researchers) got [it] to work across every one of these platforms.”
The flaw could be sidestepped by upgrading from Oracle’s Java Standard Edition 6 to the newer Java Standard Edition 7 version, though this is not recommended as there is another critical flaw that Oracle hasn’t yet acknowledged or patched in Java 7 Update 7, which could allow an attacker to take control of the computer, according to Ars Technica.
The interim fix using EMET will likely prove complicated for many, especially businesses who may suffer adverse effects with existing software used on their networks. Because of this, security firms such as Symantec recommend computer users switch to an alternative browser like Chrome or Firefox, at least until Microsoft releases a permanent fix to plug the exploit.
Microsoft says a fix is in the works and may be released during its normal monthly update cycle, or in a separate security update, depending on customers' needs.