Microsoft revealed Tuesday it was investigating a previously unknown security flaw affecting all versions of its Web browser, Internet Explorer.
Hackers have attempted to exploit the vulnerability in targeted attacks on users of versions 8 and 9 of the browser, the company reported in a security advisory.
“The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer,” the advisory says.
After Microsoft completes its probe of the problem, it will offer a solution, either through its “Patch Tuesday” maintenance cycle or through an out-of-cycle security update, according to the alert.
Meanwhile, a temporary fix that addresses the problem in 32-bit versions of IE is available for download. No fix is available for 64-bit users, but since the versions of the browser load and run differently, a flaw that affects one version of the program may not affect the other.
A Microsoft spokesperson was not immediately available to comment for this story.
Prior to Tuesday, the vulnerability had been exploited only in a limited way, but now that it has been publicized, that’s likely to change.
“To date, it’s been very targeted, but with Microsoft’s release of the fix, hackers will quickly reverse-engineer it, and we’ll start seeing exploits being widespread in the next day or two,” Alex Watson, director of security research at Websense, told TechNewsWorld.
Soon after that, it will become standard fare in popular exploit kits distributed at online black market sites.
“Once it’s in Metasploit [a public online vulnerability database], all hackers, regardless of how inept they are, will be able to use it with an off-the-shelf exploitation kit,” NSS Labs Research Director Randy Abrams told TechNewsWorld.
That would be bad news for many Windows users. “This exploit has quite a wide attack surface,” Websense’s Watson observed. “Seventy percent of all Windows computers would be vulnerable to this exploit.”
Desertion Not an Option
Although it hasn’t been determined yet what malware is connected to the exploit, it can be used for a variety of malicious purposes.
“These exploits typically are used to download advanced malware — malware that gives an attacker full control of a machine or steals information and sends it to the attacker,” Dana Tamir, director for enterprise security for Trusteer, told TechNewsWorld.
Users who don’t want to fiddle with fixes could temporarily switch to another browser, since FireFox, Chrome and other Web navigators aren’t affected by the vulnerability. That may not be a wise alternative, though, maintained NSS’ Abrams.
“The difficulty of saying, ‘Use another browser because of this vulnerability’ is that when it comes to socially engineered malware downloads, which are very, very common, none of the other browsers offer anywhere close to the amount of protection,” he said.
“They may not have this vulnerability, but they also don’t offer certain other protections,” Abrams added.
The latest versions of Microsoft IE also contain a security feature called “Address Space Layout Randomization.” It makes it harder to attack the memory addresses where an application loads into RAM because those addresses change every time an app is reloaded.
“Recent versions of applications made by Microsoft and others randomize, to some extent, where code goes in memory, making it very much more difficult — in fact, almost impossible — for hackers to predict, because every time the code runs it uses memory locations differently,” Don Retallack, a systems management and security analyst with Directions on Microsoft, told TechNewsworld.
However, all of IE’s components do not use ASLR.
“It’s no coincidence,” Neohapsis Security Consultant Patrick Thomas told TechNewsWorld, “that attackers are targeting a dynamic-link library that did not get compiled with ASLR.”
When Adblock Plus, NoScript and Ghostery all work properly with IE, maybe then we can talk about IE being more secure than other browsers. Until that happens I find it hard to fathom how anyone could make that claim unless their salary was somehow being payed by Microsoft…