Microsoft Warns of Newly Discovered Zero-Day Internet Explorer Flaw
According to Microsoft's Security Advisory (2887505), released on Tuesday, the company is investigating active exploits that are currently targeting Internet Explorer 8 and 9 users.
The remote code execution vulnerability "exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated," according to Microsoft and may corrupt memory to the point where attackers could inject malicious code to a targeted system when a harmful Web site was visited.
"And more bad news: the average user is very susceptible to being hit with this, said Paul Henry, security and forensic analyst at security firm Lumension in an e-mailed statement. "The average user does not run the restricted sites mode, are not using the Enhanced Security Configuration and are all-too-willing to click on phishing emails."
While Microsoft has only witnessed attacks taking advantage of the flaw directed towards IE 8 and 9, most versions of the Web browser are in danger, said Dustin Childs of the Trustworthy Computing group. ""There are only reports of a limited number of targeted attacks specifically directed at Internet Explorer 8 and 9, although the issue could potentially affect all supported versions," said Childs.
However, there are some mitigating factors that lessen the threat for some IE users, according to Microsoft's security advisory:
- Due to Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 running in the Enhanced Security Configuration restricted mode, the vulnerability is not able to be exploited.
- Because Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mails in the Restricted sites zone, the malicious code cannot be executed straight from the message because script and ActiveX controls are disabled. However, clicking on a specially crafted Web link in the e-mail body could lead to a malicious site that can take advantage of this hole.
- Microsoft said those users with limited user rights are at less risk of attack than those with admin rights.
Along with the advisory, Microsoft has released Fix it solution "CVE-2013-3893 MSHTML Shim Workaround" while the company continues to investigate the vulnerability. Along with applying this, Microsoft said users can also configure EMET (Enhanced Mitigation Experience Toolkit) 4.0 for Internet Explorer.
With the latest Microsoft Security Update arriving just last week, it's unclear if Microsoft will wait for October's patch rollout to release a fix or push through a rare out-of-band patch. In the meantime, users can avoid the threat of attack by the two means described or by switching to another Web browser until a permanent fix is available.