Attackers Target Internet Explorer Zero-Day Flaw


Microsoft has warned about ongoing attacks targeting a new zero-day vulnerability in Internet Explorer and has issued an automated, temporary patch until an official security update is released.

The remote code execution vulnerability affects Internet Explorer 6, 7, and 8.

The software giant said an attacker can target the flaw by tricking users into browsing to a malicious website, which begins with a phishing email or instant message. Attackers are targeting the error by setting up a watering-hole-style attack using malicious Javascript. The technique can bypass Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP), two Microsoft security features designed to prevent malicious code execution in memory.

[Related: VMware Patches Zero Day Flaw In Desktop Virtualization Software]

In its security advisory, Microsoft said it would not rule out an out-of-cycle update. The company's regularly scheduled Patch Tuesday patch release is scheduled for Jan. 8.

"While we have still observed only a few attempts to exploit this issue, we encourage all customers to apply this Fix to help protect their systems," wrote Dustin Childs, group manager of Microsoft response communications in the company's Microsoft Security Report Center blog.

According to the security advisory, the flaw may corrupt memory in a way that could enable an attacker to execute malicious code on a victim's computer. The coding error exists in the way IE accesses an object in memory that has been deleted or has not been properly allocated. A successful attack gives a cybercriminal the same user rights as the victim.

Microsoft said users can upgrade to IE 9 and 10, which are not affected by the flaw.

"The temporary patch prevents malicious code from targeting the vulnerability. The workaround will have a small effect on the startup time of Internet Explorer," wrote Cristian Craioveanu, a Microsoft engineer on the Microsoft Security Research and Defense blog. Applying the temporary patch does not require a reboot.

Security researchers at FireEye were among the security firms that first detected attacks when the Council on Foreign Relations Web site was found to be hosting the malicious code targeting the IE flaw last week. Proof-of-concept code also was released for the Metasploit Framework, making the attack technique more widely available.

PUBLISHED JAN. 2, 2013