Microsoft has published a security advisory today that is informing system administrators and end users about a new 0-day vulnerability affecting Internet Explorer 6, 7, 8 and 9 but not IE 10. The vulnerability is already actively exploited on the Internet which makes it a pressing matter for all Windows users who work with Internet Explorer.
The advisory itself does not reveal much about the vulnerability other than that its a remote code execution vulnerability that is giving the attacker the same rights as the logged in user if exploited successfully. Internet Explorer users need to actively visit a website or open an HTML page in the browser for the attack to be successful. A specially prepared web page or hacked website are two possible scenarios.
A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
Internet Explorer on Windows Server versions runs in restricted mode which mitigates the vulnerability. The same is true for Microsoft email clients such as Microsoft Outlook, as HTML emails are also opened in the restricted zone. HTML links on the other hand that open in Internet Explorer are still dangerous.
EMET, the Enhanced Mitigation Experience Toolkit, can be used to mitigate the vulnerability. You need to add Internet Explorer once you have installed the application. To do that you can either load one of the default configuration files or add iexplore.exe manually to the program.
Microsoft offers two additional mitigation workarounds.
- Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones, and add sites you trust to the Trusted Sites zone
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
You find detailed instructions on how to do that on the security advisory page. I have been running EMET on my systems ever since I discovered the application and have not experienced any issues doing so. Great program, definitely recommended.
In other news: while Internet Explorer 10 is not listed as vulnerable, it is still running a vulnerable Flash version. (thanks Ilev)