Emergency Microsoft Security Advisory (2887505) – Vulnerability in Internet Explorer Could Allow Remote Code Execution

M

icrosoft has released emergency advisory ‘Vulnerability in Internet Explorer Could Allow Remote Code Execution’ which is a zero day exploit that hackers exploited zero day vulnerability in IE versions 8 and 9 on Windows XP and Windows 7. This is after investigating public reports of the vulnerability. The vulnerability affects “all supported versions of its browser (IE6, IE7, IE8, IE9, IE10, and IE11).” ( Emil Protalinski, 2013).

Zero day vulnerabilities also known as zero day attacks are software holes or backdoors that are not known by the vendor, meaning that the attack occurs on ‘day zero of reaction of the exposure. The developers will have had zero days to address and patch the vulnerability.

The company has found that the flaw could potentially affect all supported versions, although it says that running “modern versions” of IE has the advantage of additional security features that can help prevent successful attacks. The flaw in question makes remote code execution possible if you browse to a website containing malicious content for your specific browser type (an attacker can either compromise a regularly frequented and trusted site or convince the user to click a link in another application).

1.        How the vulnerability is exploited

The vulnerability exploits the “way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”(Microsoft Security TechCenter, 2013).

The attacker who successfully exploits this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.”  (Microsoft Security TechCenter, 2013)

2.        Mitigation strategies

Currently, Microsoft has not completed the investigations to provide a solution through security update. The only solution is just implementing the following mitigation techniques;

a)        Disable for critical webservers (Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2) to run in a restricted mode.

b)       Run all critical services and applications in the in the Restricted sites zone (Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages).  “The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario.” (Microsoft Security TechCenter, 2013)

c)        Enable / Set Internet and local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting.

d)       Configure Internet Explorer to send alerts before running Active Scripting

e)        Fully disable Active Scripting in the Internet and local intranet security zones.(This option may affect normal work environment, caution should be taken when implementing this option)

f)        Download Microsoft Fix it solution tool and run the tool on the host to mitigate the vulnerability

References

[1]          Emil Protalinski, 2013, Microsoft releases temporary fix for vulnerability in all IE versions, warns of targeted IE8 and IE9 attacks. Retrieved 20th September, 2013 fromhttp://thenextweb.com/microsoft/2013/09/17/microsoft-investigating-new-ie-vulnerability-in-all-versions-warns-of-targeted-attacks-against-ie8-and-ie9/

[2]          Microsoft Security TechCenter, (2013), Microsoft Security Advisory (2887505) – Vulnerability in Internet Explorer Could Allow Remote Code Execution. Retrieved 19th September, 2013 from http://technet.microsoft.com/en-us/security/advisory/2887505

Appendix 1 – Table 1- Affected Software

Operating System Component
Internet Explorer 6
Windows XP Service Pack 3 Internet Explorer 6
Windows XP Professional x64 Edition Service Pack 2 Internet Explorer 6
Windows Server 2003 Service Pack 2 Internet Explorer 6
Windows Server 2003 x64 Edition Service Pack 2 Internet Explorer 6
Windows Server 2003 with SP2 for Itanium-based Systems Internet Explorer 6
Internet Explorer 7
Windows XP Service Pack 3 Internet Explorer 7
Windows XP Professional x64 Edition Service Pack 2 Internet Explorer 7
Windows Server 2003 Service Pack 2 Internet Explorer 7
Windows Server 2003 x64 Edition Service Pack 2 Internet Explorer 7
Windows Server 2003 with SP2 for Itanium-based Systems Internet Explorer 7
Windows Vista Service Pack 2 Internet Explorer 7
Windows Vista x64 Edition Service Pack 2 Internet Explorer 7
Windows Server 2008 for 32-bit Systems Service Pack 2 Internet Explorer 7
Windows Server 2008 for x64-based Systems Service Pack 2 Internet Explorer 7
Windows Server 2008 for Itanium-based Systems Service Pack 2 Internet Explorer 7
Internet Explorer 8
Windows XP Service Pack 3 Internet Explorer 8
Windows XP Professional x64 Edition Service Pack 2 Internet Explorer 8
Windows Server 2003 Service Pack 2 Internet Explorer 8
Windows Server 2003 x64 Edition Service Pack 2 Internet Explorer 8
Windows Vista Service Pack 2 Internet Explorer 8
Windows Vista x64 Edition Service Pack 2 Internet Explorer 8
Windows Server 2008 for 32-bit Systems Service Pack 2 Internet Explorer 8
Windows Server 2008 for x64-based Systems Service Pack 2 Internet Explorer 8
Windows 7 for 32-bit Systems Service Pack 1 Internet Explorer 8
Windows 7 for x64-based Systems Service Pack 1 Internet Explorer 8
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Internet Explorer 8
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Internet Explorer 8
Internet Explorer 9
Windows Vista Service Pack 2 Internet Explorer 9
Windows Vista x64 Edition Service Pack 2 Internet Explorer 9
Windows Server 2008 for 32-bit Systems Service Pack 2 Internet Explorer 9
Windows Server 2008 for x64-based Systems Service Pack 2 Internet Explorer 9
Windows 7 for 32-bit Systems Service Pack 1 Internet Explorer 9
Windows 7 for x64-based Systems Service Pack 1 Internet Explorer 9
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Internet Explorer 9
Internet Explorer 10
Windows 7 for 32-bit Systems Service Pack 1 Internet Explorer 10
Windows 7 for x64-based Systems Service Pack 1 Internet Explorer 10
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Internet Explorer 10
Windows 8 for 32-bit Systems Internet Explorer 10
Windows 8 for 64-bit Systems Internet Explorer 10
Windows Server 2012 Internet Explorer 10
Windows RT Internet Explorer 10
Internet Explorer 11
Windows 8.1 for 32-bit Systems Internet Explorer 11
Windows 8.1 for 64-bit Systems Internet Explorer 11
Windows Server 2012 R2 Internet Explorer 11
Windows RT 8.1 Internet Explorer 11

Source: http://technet.microsoft.com/en-us/security/advisory/2887505

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s