Internet Explorer hit by zero-day exploit, temporary fix issued

By Lee Kaelin on September 18, 2012, 10:30 AM

Microsoft is urging users of Internet Explorer to download a free security tool, enhanced Mitigation Experience Toolkit (EMET), as an interim measure against a previously unknown zero-day exploit in its web browser software that is under active malware attack by hackers.

Eric Romang, a researcher in Luxemburg, discovered it on Friday after finding his computer infected by the Poison Ivy Trojan, used by hackers to gain remote access to their victims' computers to steal data. According to Romang, further analysis revealed it got onto his computer via a flaw in Internet Explorer. 

Poison Ivy exploits a “use-after-free vulnerability” in IE that enables a hacker to create an image URL referencing uninitialized memory. This corrupts the memory and once completely executed gives the attacker remote access with the same permissions as the current user.

The vulnerability affects computers running all versions of Internet Explorer from IE6 to IE9, on every single OS release since Windows XP right through to Windows 7 and Server 2008. Interestingly though, Microsoft’s IE 10 running on Windows 8 and Server 2008 are not affected according to Microsoft’s Security Advisory.

“What may be most worrying is that Windows Vista and 7 don’t protect you,” said HD Moore, CSO of security firm Rapid 7, and the chief architect of the Metasploit tool kit, used widely by penetration testers and hackers. “This is one of the few times that a vulnerability has been successfully exploited across all the production shipping versions of the browser and OS. The surprising thing about this is the fact they (Metasploit researchers) got [it] to work across every one of these platforms.”

The flaw could be sidestepped by upgrading from Oracle’s Java Standard Edition 6 to the newer Java Standard Edition 7 version, though this is not recommended as there is another critical flaw that Oracle hasn’t yet acknowledged or patched in Java 7 Update 7, which could allow an attacker to take control of the computer, according to Ars Technica.

The interim fix using EMET will likely prove complicated for many, especially businesses who may suffer adverse effects with existing software used on their networks. Because of this, security firms such as Symantec recommend computer users switch to an alternative browser like Chrome or Firefox, at least until Microsoft releases a permanent fix to plug the exploit.

Microsoft says a fix is in the works and may be released during its normal monthly update cycle, or in a separate security update, depending on customers' needs.

User Comments: 8

Got something to say? Post a comment

Oh no disconnect puters from internet problem solved..

Guest said:

How could this be? I mean I've seen all those Microsoft comercials showing how great Internet Explorer is.

NoNamesLeft said:

Can someone explain to me why browsers are not placed in a virtual machine like layer? So when someone breaks out of IE, they only get into a fake computer that has no access to any thing.

1 person liked this | Guest said:

Two words: System Resources.

klepto_chris klepto_chris said:

Why didn't they just release an emergency patch via MS update?

Tygerstrike said:

SO youre telling us that yet again MS has released a product that is flawed. How does this happen? I mean dont they quality test their own product? Or hand it over to some paid hackers and let them tear into it? That seems the least they could do. If some enterprising hacker can find this, why didnt the ppl who made it?

1 person liked this | Tanstar said:

Tygerstrike: This error has been there since IE 6.0 and WinXP and was just now discovered. That tells me it wasn't an obvious or easy hack.

EEatGDL said:

Yep, totally agree with Tanstar, I thought the same thing; something must have been done very well on IE 10.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.